1
Trusted Senders and Trusted Domains still sent to Junk folder
Problem reported by David O'Leary - 12/11/2023 at 12:38 PM
Submitted
I've got emails showing up in my Junk folders where the sender is a Trusted Sender and the domain is a Trusted Domain. I've attached the headers on one below though I replaced email addresses with fake ones. Some things I noticed that may have an impact:
-It appears I was BCC'd as my email address isn't listed in TO or CC.
-The email was sent through Amazonses.
-DKIM and SPF passed

Received: from a9-1.smtp-out.amazonses.com (a9-1.smtp-out.amazonses.com [54.240.9.1]) by mail1.efficion.net with SMTP
    (version=TLS\Tls12
    cipher=Aes256 bits=256);
   Mon, 11 Dec 2023 08:10:59 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=sisk12;
    d=ourschool.org; t=1702303685;
    h=MIME-Version:From:To:Date:Subject:Content-Type:Content-Transfer-Encoding:Message-ID;
    bh=EOr7h8mgSV8cSWEQAwv/5T+vvSpyfvMaBCNrevKc9bc=;
    b=A/9+Kl5yhiNeGhZ5SGKolOfVbJMeFDYj8GkxcbxuWiA3a/FiTsK4HFCeHgF1OqQU
    +hN+aufG5HGsgxGru1y005dbwoCNnPHUbjeVFH2KV/fPQgf3IPibv58CyeSZ/xFjZOm
    BV64fqJxDL4XMbD/kTKiunplFh3+K0iOGY7VH6vU=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1702303685;
    h=MIME-Version:From:To:Date:Subject:Content-Type:Content-Transfer-Encoding:Message-ID:Feedback-ID;
    bh=EOr7h8mgSV8cSWEQAwv/5T+vvSpyfvMaBCNrevKc9bc=;
    b=UxN1HC3xBTMBDh4HYn6mbm5F1Empp/2sREQzarVQ5NF5FEgGJ7n1+oe/u8PRcDlh
    0UHgIzpbaqHOQy8yTaePzTAZ/UtCVIL6fF125SGxAU2/WYC+lwIzZIdOi9zeKm6kzSf
    ojqSpOq71ToUgWV0OiA0Eg7LqF3Clk3vXUlNdlnY=
MIME-Version: 1.0
From: [teacher@ourschool.ORG]
To: [myson@ourschool.org]
Date: Mon, 11 Dec 2023 14:08:05 +0000
Subject: Band Events Week of Dec. 11
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-ID: <0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@email.amazonses.com>
X-OriginalArrivalTime: 11 Dec 2023 14:08:05.0350 (UTC) FILETIME=[75E53860:01DA2C3B]
Feedback-ID: 1.us-east-1.WzVFpjKNSoTSNcAfOLQzKE0+ovVcGdghxNGL2gyFJj4=:AmazonSES
X-SES-Outgoing: 2023.12.11-54.240.9.1
X-Rcpt-To: <me@mydomain.com>
X-SmarterMail-Spam: Reverse DNS Lookup [Passed]: 0, SPF [Pass]: 0, CBL - Abuse Seat: 0, HostKarma - Blacklist, HostKarma - Brownlist: 0, SORBS - Abuse, SORBS - Dynamic IP, SORBS - Proxy, SORBS - Socks: 0, SORBS - SMTP: 0, Protected Sky:Reject, Protected Sky:warning: 0, SpamRats: 0, Truncate: 0, UCEProtect Level 2: 0, SORBS  - Spam: 15, Barracuda - BRBL: 0, UCEProtect Level 1: 0, PSBL: 0, UCEProtect Level 3: 0, VIRUS RBL - MSRBL: 0, SpamCop: 30, Spamhaus - CBL, Spamhaus - CSS, Spamhaus - PBL, Spamhaus - PBL2, Spamhaus - SBL, Spamhaus - XBL, Spamhaus - XBL2: 0, DMARC [none]: 0, ISpamAssassin [raw:0.2]: 0, DKIM [Pass]: -5, URIBL - Black, URIBL - Grey, URIBL - Multi, URIBL - Red: 0, SURBL - SpamAssassin: 0, SURBL - Abuse Buster, SURBL - JWSpamSpy, SURBL - Malware, SURBL - SpamCop: 0
X-SmarterMail-SpamDetail: 0.1 MIME_HTML_MOSTLY
X-SmarterMail-SpamDetail: 0.1 MIME_HTML_ONLY
X-SmarterMail-SpamDetail: 0.0 HTML_MESSAGE
X-SmarterMail-SpamDetail: 0.0 HTML_MIME_NO_HTML_TAG
X-SmarterMail-TotalSpamWeight: 40 (Trusted Sender - User, DMARC: None (Domain: ourschool.ORG, Reason: No DMARC record found))
X-SmarterMail-SpamAction: Medium | MoveToFolder
Owner of Efficion Consulting

6 Replies

Reply to Thread
1
Tony Scholz Replied
Employee Post
Hello, 

Looking at the header of this message you will want to look at the X-SmarterMail headers. 

X-SmarterMail-TotalSpamWeight: 40 (Trusted Sender - User, DMARC: None (Domain: ourschool.ORG, Reason: No DMARC record found))
X-SmarterMail-SpamAction: Medium | MoveToFolder

The issue here is with the DMARC record. Weather the Return-Path or the From address is used is based on weather or not DMARC passes. In this case I am betting the "Return-Path" is not in the Trusted senders list. 

This was recently implemented and we have some more details on how this works here ( https://portal.smartertools.com/kb/a3501/dmarc-in-simple-terms.aspx ). 

A good place to review this is the SMTP logs on the server. Using the Message ID you can trace this backwards. 

Search the Delivery Logs for "0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000"

This will provide a session ID number. You can then search the SMTP log for this number with "Display Related Traffic" enabled to get the full SMTP session. 

Please let me know if you have any questions.

Thank you 
~Tony



Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
0
David O'Leary Replied
I did as you said and pulled the Delivery Logs for that and pasted them below. It delivers to two addresses in my domain. Looking through the logs, there is no return-path or from address that specifies the original sender. Only the amazonses address is listed. The original sender is included in the headers for the message. This seems bad. Trusted users and domains shouldn't have to have DMARC set up correctly to bypass junk filters. It would be one thing if it failed but in this case it isn't setup.

[2023.12.11] 08:11:00.335 [31506875] Delivery started for 0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@amazonses.com at 8:11:00 AM
[2023.12.11] 08:11:03.335 [31506875] Added to SpamCheckQueue (0 queued; 1/25 processing)
[2023.12.11] 08:11:03.335 [31506875] [SpamCheckQueue] Begin Processing.
[2023.12.11] 08:11:03.335 [31506875] Blocked Sender Checks started.
[2023.12.11] 08:11:03.335 [31506875] Blocked Sender Checks completed.
[2023.12.11] 08:11:03.382 [31506875] Spam Checks started.
[2023.12.11] 08:11:03.491 [31506875] Finished running spam checks. Time (non-rbls): 116ms, Time (URIBL/RBLS): 0ms
[2023.12.11] 08:11:03.491 [31506875] Spam Check results: [REVERSE DNS LOOKUP: 0,Passed], [_SPF: 0,Pass], [CBL - ABUSE SEAT: 0], [HOSTKARMA - BLACKLIST, HOSTKARMA - BROWNLIST: 0], [SORBS - ABUSE, SORBS - DYNAMIC IP, SORBS - PROXY, SORBS - SOCKS: 0], [SORBS - SMTP: 0], [PROTECTED SKY: REJECT, PROTECTED SKY results 0], [SPAMRATS: 0], [TRUNCATE: 0], [UCEPROTECT LEVEL 2: 0], [SORBS  - SPAM: 15], [BARRACUDA - BRBL: 0], [UCEPROTECT LEVEL 1: 0], [PSBL: 0], [UCEPROTECT LEVEL 3: 0], [VIRUS RBL - MSRBL: 0], [SPAMCOP: 30], [SPAMHAUS - CBL, SPAMHAUS - CSS, SPAMHAUS - PBL, SPAMHAUS - PBL2, SPAMHAUS - SBL, SPAMHAUS - XBL, SPAMHAUS - XBL2: 0], [_DMARC: 0,none], [_INTERNALSPAMASSASSIN: 0.2:0], [_DKIM: -5,Pass], [URIBL - BLACK, URIBL - GREY, URIBL - MULTI, URIBL - RED: 0], [SURBL - SPAMASSASSIN: 0], [SURBL - ABUSE BUSTER, SURBL - JWSPAMSPY, SURBL - MALWARE, SURBL - SPAMCOP: 0]
[2023.12.11] 08:11:03.491 [31506875] Spam Checks completed.
[2023.12.11] 08:11:03.788 [31506875] Removed from SpamCheckQueue (0 queued or processing)
[2023.12.11] 08:11:06.335 [31506875] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2023.12.11] 08:11:06.335 [31506875] [LocalDeliveryQueue] Begin Processing.
[2023.12.11] 08:11:06.335 [31506875] Starting local delivery to wife@myaccount
[2023.12.11] 08:11:06.897 [31506875] Process delivery status notification step from local recipient success. Recipient: [wife@myaccount], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2023.12.11] 08:11:06.897 [31506875] Delivery for 0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@amazonses.com to wife@myaccount has completed (Delivered) Filter: Spam (Weight: 40), Action (Global Level): PrefixSubject
[2023.12.11] 08:11:06.897 [31506875] End delivery to wife@myaccount (MessageID: <0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@email.amazonses.com>)
[2023.12.11] 08:11:06.897 [31506875] Starting local delivery to me@myaccount
[2023.12.11] 08:11:06.913 [31506875] Process delivery status notification step from local recipient success. Recipient: [me@myaccount], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2023.12.11] 08:11:06.913 [31506875] Delivery for 0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@amazonses.com to me@myaccount has completed (Delivered to Junk Email) Filter: Spam (Weight: 40), Action (User Level): MoveToFolder
[2023.12.11] 08:11:06.913 [31506875] End delivery to me@myaccount (MessageID: <0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@email.amazonses.com>)
[2023.12.11] 08:11:06.913 [31506875] Removed from LocalDeliveryQueue (0 queued or processing)
[2023.12.11] 08:11:09.335 [31506875] Removing Spool message: Killed: False, Failed: False, Finished: True
[2023.12.11] 08:11:09.335 [31506875] Delivery finished for 0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@amazonses.com at 8:11:09 AM    [id:31506875]
Owner of Efficion Consulting
0
David O'Leary Replied
I just did an MX Lookup on mxtoolbox.com for the sending domain and they do have a DMARC record specified with DMARC Quarantine/Reject policy enabled.
Owner of Efficion Consulting
0
Tony Scholz Replied
Employee Post
Hello, Now you want to take the delivery session Id (31506875) and search the SMTP logs. This will show the information we are looking for. Thank you
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
0
David O'Leary Replied
Tried that but got, No Results. Expanded the search dates but that didn't help. Looking at the SMTP log, it only has Connected and Disconnected entries like:
[2023.12.11] 17:55:19.185 [80.94.95.181][37208738] connected at 12/11/2023 5:55:19 PM
[2023.12.11] 17:55:19.716 [141.98.11.68][16332644] disconnected at 12/11/2023 5:55:19 PM
Owner of Efficion Consulting
1
Tony Scholz Replied
Employee Post
David, 

This is indicating that the SMTP log level is most likely set to Normal, you will want to adjust this log level to be detailed to get the information we are looking for. Once you change this any new connections will show we are looking for. 

This log by default is set to Detailed so at one point one of the admins changed this to be normal. For Troubleshooting purposes I would make sure that the below logs are always set to detailed. 

Administrative
Error
SMTP 
Delivery
Spam Checks

Thank you
~Tony
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com

Reply to Thread