Invisible Email Servers
It's possible for an email server to be completely hidden from DMARC reports.
In some circumstances, it's possible for an email server to be completely hidden from DMARC reports. This can happen if you have a server which only sends mail to servers that do not provide DMARC reports, like Microsoft Office365 and Proofpoint.
If you visit dmarcian's public DMARC Data Providers report, you can inspect the volume of reports sent by different email providers. You'll notice the absence both Microsoft and Proofpoint if you search the results. The fact that these two companies play such a huge role in the global email space while refusing to participate in one of the most important aspects of its security needs to be called out more often.
Sean Whalen, a consultant, wrote about both of these issues in detail, including workaround guides. Proofpoint initially tried to force customers to pay for their Email Fraud Defense service just to get aggregate reports from their own email gateway, but have since rolled the option into Proofpoint Essentials as a setting for an administrator to turn on. Microsoft claims to support sending reports as a Public Preview feature, but none were visible in dmarcian's public report. DMARC is a decade old and widely adopted at this point. There's really no excuse for the actions of these two.
But there are consequences. If your company is using an email system that doesn't provide reports and you have an email system that only sends emails internally, it won't show up on the reports at all. So it's invisible.
Sean came up with a way to work around this situation with Proofpoint in his above article:
“As a less than ideal workaround for this problem, Proofpoint customers can create a Policy Route that matches on message From headers that end with their domains, and then create a DMARC policy in Proofpoint that applies to that route, and configure the policy to copy any messages that fail DMARC to a separate quarantine folder for later review. That way, they can at least get samples of the emails that failed DMARC, even though they won’t show up in third party analytics.”
- Sean Whalen
Ulrich Baum, a DMARC consultant from RedSift shared a client story on LinkedIn about this exact situation.
“They couldn't identify all sender's, and missed a pet project of a board member which couldn't send for a couple days, which lead to the entire DMARC project being cancelled.”
- Ulrich Baum
The good news is that a situation like this is only likely to happen with internal projects as described above. Email sent to customers will likely be delivered to a variety of mail servers, some of which will provide proper reports. Sean's workaround is a great way to expose this problem on your own email gateways.
This article was originally published on as part of a 3 part DMARC Guide at Brightball.