550 5.7.509 Access denied, Sending Domain Does Not Pass DMARC Verification and Has a DMARC Policy of Reject.

[thomas10]

Hi All,

Recently, one of the Hmail user informed that she has received a bounce back email.
Her email was set to auto forward to external email address(Microsoft 365) via account rules. Meaning that:
Customer Email ---Send email---> Her hmail email ---Auto forward---> Microsoft 365 email

Ended up she receives the bounce back as below.

Code: Select all

Reporting-MTA: dns;apcprd02.prod.outlook.com
Received-From-MTA: dns;xxx.com
Arrival-Date: Mon, 2 Oct 2023 10:50:41 +0000

Final-Recipient: rfc822;"Forwarding Email Address"
Action: failed
Status: 5.7.509
Diagnostic-Code: smtp;550 5.7.509 Access denied, sending domain "customer domain.com" does not pass DMARC verification and has a DMARC policy of reject.

I have tried google it and found that Microsoft just announced New DMARC Policy Handling.
https://techcommunity.microsoft.com/t5/ ... r%20domain.

Anyone has idea on this and is there a way to overcome this?

Appreciated if anyone can help. Thanks.

[RvdH]

Hi All,

Recently, one of the Hmail user informed that she has received a bounce back email.
Her email was set to auto forward to external email address(Microsoft 365) via account rules. Meaning that:
Customer Email ---Send email---> Her hmail email ---Auto forward---> Microsoft 365 email

Ended up she receives the bounce back as below.

Code: Select all

Reporting-MTA: dns;apcprd02.prod.outlook.com
Received-From-MTA: dns;xxx.com
Arrival-Date: Mon, 2 Oct 2023 10:50:41 +0000

Final-Recipient: rfc822;"Forwarding Email Address"
Action: failed
Status: 5.7.509
Diagnostic-Code: smtp;550 5.7.509 Access denied, sending domain "customer domain.com" does not pass DMARC verification and has a DMARC policy of reject.

I have tried google it and found that Microsoft just announced New DMARC Policy Handling.
https://techcommunity.microsoft.com/t5/ ... r%20domain.

Anyone has idea on this and is there a way to overcome this?

Appreciated if anyone can help. Thanks.

In this instance the sender defines whenever DMARC validation fails the receiving mailserver should reject the mail
Because you forward that mail on that account, DMARC validation will fail you unfortunately can not overcome this

[thomas10]

Hi All,

Recently, one of the Hmail user informed that she has received a bounce back email.
Her email was set to auto forward to external email address(Microsoft 365) via account rules. Meaning that:
Customer Email ---Send email---> Her hmail email ---Auto forward---> Microsoft 365 email

Ended up she receives the bounce back as below.

Code: Select all

Reporting-MTA: dns;apcprd02.prod.outlook.com
Received-From-MTA: dns;xxx.com
Arrival-Date: Mon, 2 Oct 2023 10:50:41 +0000

Final-Recipient: rfc822;"Forwarding Email Address"
Action: failed
Status: 5.7.509
Diagnostic-Code: smtp;550 5.7.509 Access denied, sending domain "customer domain.com" does not pass DMARC verification and has a DMARC policy of reject.

I have tried google it and found that Microsoft just announced New DMARC Policy Handling.
https://techcommunity.microsoft.com/t5/ ... r%20domain.

Anyone has idea on this and is there a way to overcome this?

Appreciated if anyone can help. Thanks.

In this instance the sender defines whenever DMARC validation fails the receiving mailserver should reject the mail
Because you forward that mail on that account, DMARC validation will fail you unfortunately can not overcome this

Hmm, that's bad since cannot overcome this as you said.

[RvdH]

Hi All,

Recently, one of the Hmail user informed that she has received a bounce back email.
Her email was set to auto forward to external email address(Microsoft 365) via account rules. Meaning that:
Customer Email ---Send email---> Her hmail email ---Auto forward---> Microsoft 365 email

Ended up she receives the bounce back as below.

Code: Select all

Reporting-MTA: dns;apcprd02.prod.outlook.com
Received-From-MTA: dns;xxx.com
Arrival-Date: Mon, 2 Oct 2023 10:50:41 +0000

Final-Recipient: rfc822;"Forwarding Email Address"
Action: failed
Status: 5.7.509
Diagnostic-Code: smtp;550 5.7.509 Access denied, sending domain "customer domain.com" does not pass DMARC verification and has a DMARC policy of reject.

I have tried google it and found that Microsoft just announced New DMARC Policy Handling.
https://techcommunity.microsoft.com/t5/ ... r%20domain.

Anyone has idea on this and is there a way to overcome this?

Appreciated if anyone can help. Thanks.

In this instance the sender defines whenever DMARC validation fails the receiving mailserver should reject the mail
Because you forward that mail on that account, DMARC validation will fail you unfortunately can not overcome this

Hmm, that's bad since cannot overcome this as you said.

Well there is one solution, stop using forwards

[thomas10]

In this instance the sender defines whenever DMARC validation fails the receiving mailserver should reject the mail
Because you forward that mail on that account, DMARC validation will fail you unfortunately can not overcome this

Hmm, that's bad since cannot overcome this as you said.

Well there is one solution, stop using forwards

Wow, what a 'solution'

Guess the forwarding can only be using within the hmail users in own server then.

[RvdH]

Hmm, that's bad since cannot overcome this as you said.

Well there is one solution, stop using forwards

Wow, what a 'solution'

Guess the forwarding can only be using within the hmail users in own server then.

It is known for years DMARC kills forwarding....if:

1) alignment is strict
2) policy is set to reject

Both 1 and 2 are defined through sending server only, so not much you can do as receiving/forwarding server.
hmailserver itself does nothing regarding DMARC, but if the sending and server forwarded to both support DMARC you are screwed

[thomas10]

Well there is one solution, stop using forwards

Wow, what a 'solution'

Guess the forwarding can only be using within the hmail users in own server then.

It is known for years DMARC kills forwarding....if:

1) alignment is strict
2) policy is set to reject

Both 1 and 2 are defined through sending server only, so not much you can do as receiving/forwarding server.
hmailserver itself does nothing regarding DMARC, but if the sending and server forwarded to both support DMARC you are screwed

Hmm, it seems stop the forwarding is the only way.

Just found your comment similar to this, won't the method work?

viewtopic.php?t=39877#p244454

Only way for this to work is to rewrite the EnvelopeFrom in hMailServer.INI settings, eg:

[Settings]
RewriteEnvelopeFromWhenForwarding=1

[glenluo]

use pop3 or imap to downlaod the email will work.
fetchmail

[RvdH]

Wow, what a 'solution'

Guess the forwarding can only be using within the hmail users in own server then.

It is known for years DMARC kills forwarding....if:

1) alignment is strict
2) policy is set to reject

Both 1 and 2 are defined through sending server only, so not much you can do as receiving/forwarding server.
hmailserver itself does nothing regarding DMARC, but if the sending and server forwarded to both support DMARC you are screwed

Hmm, it seems stop the forwarding is the only way.

Just found your comment similar to this, won't the method work?

viewtopic.php?t=39877#p244454

Only way for this to work is to rewrite the EnvelopeFrom in hMailServer.INI settings, eg:

[Settings]
RewriteEnvelopeFromWhenForwarding=1

RewriteEnvelopeFromWhenForwarding is hmailserver's limited/simple version of SRS
That would only help to solve issues with SPF checks, if the DMARC alignment is strict that still not going to make any difference

SRS rewriting/RewriteEnvelopeFromWhenForwarding does not fix the issue of DMARC passing for forwarded messages. Although an SPF check will now pass by using a rewritten P1 From address, DMARC also requires an alignment check for the message to pass. For forwarded messages, DKIM always fails because the signed DKIM domain does not match the From header domain. If an original sender sets their DMARC policy to reject forwarded messages, the forwarded messages are rejected by Message Transfer Agents (MTAs) that honor DMARC policies.

[mattg]

That would only help to solve issues with SPF checks, if the DMARC alignment is strict that still not going to make any difference

SRS rewriting/RewriteEnvelopeFromWhenForwarding does not fix the issue of DMARC passing for forwarded messages. Although an SPF check will now pass by using a rewritten P1 From address, DMARC also requires an alignment check for the message to pass. For forwarded messages, DKIM always fails because the signed DKIM domain does not match the From header domain. If an original sender sets their DMARC policy to reject forwarded messages, the forwarded messages are rejected by Message Transfer Agents (MTAs) that honor DMARC policies.

And that is the point of DMARC surely.

I set my domains to Strict and reject, and I'd expect that forwards would be rejected (In reality it doesn't happen often)

I'd do this in the clients Microsoft365 account, getting messages from your hMailserver via POP

use pop3 or imap to downlaod the email will work.
fetchmail