I’m seeing a couple of failures for dkim and spf when emails are going through an Avanan forwader.
Can someone please clarify the 0% and dkim survival meanings?
Does this mean dkim is surviving but failing dmarc or that dkim is not surviving at all? Just unsure how to interpret this information.
Thanks!
From what I understand about DKIM survival, it doesn’t gurantee DKIM success on receiving end. Because DKIM fails on several reasons, especially on forwarding, such as URL rewriting, subject modification, and so on.
If you click “-” on left of server name, you can check DKIM result. It shows DKIM signature domain and DKIM result and alignment result. It might help you figure out more from those info.
Avanan seems like an email security service. So I guess email body was modified somehow, which caused DKIM body hash mismatch, resulting DKIM failure.
I had similar problems with Proofpoint forwarders. This is usually beyond cotrol of senders. So there is nothing we can do about. Please correct me someone if I am wrong.
Thanks!
Hi James and welcome to the forums!
There are two important topics to discuss here. First, DKIM survival. The reason the product expresses forwarding in this way is that SPF rarely helps indirect mail flow pass DMARC. This is often due to sender rewriting schemes (SRS), or simply because the forwarding server isn’t listed in the sending domain’s SPF record. DKIM plays a crucial role in ensuring that indirect mail flow, which is beyond your control, can still pass DMARC.
That being said, Avenan is a special case. Along with unique Microsoft reporting behavior regarding DMARC, this can create some confusing data. Avenan is a security product that is set up “in line” with the domain’s email flow. Let’s imagine the domain example.com uses Avenan.
Example.com has MX records pointing to Microsoft 365. Once an email is received, a special connector sends it to an Avenan SMTP server for additional scanning and analysis. After processing, Avenan sends the email back into Microsoft 365 via the domain’s MX record, using an IP whitelist connection filter to bypass spam scanning and email authentication failures.
Sender → MS365 → Avenan → Back to MS365 → Inbox.
The final piece of the puzzle is that Microsoft sends DMARC aggregate reports for all emails checked for DMARC, regardless of whether the sender is whitelisted. In the example above, two counts will be reported by Microsoft in DMARC reports: once when the email is first received from the sender, and again when the email is sent back into MS365 from Avenan. Even though MS365 may report a DMARC failure from Avenan, no enforcement will be applied due to the connection whitelist as part of the product’s setup.
In conclusion, as long as Avenan is set up properly according to the vendor’s directions, the owner of the Avenan service won’t experience any DMARC failures, and this data can safely be ignored.
I hope this helps!
Yes that helps thank you very much!
Does this then mean that one message was quarantined and one wasn’t? Is there any way to know if this was actually received/quarantined or can I safely ignore this too? This screenshot follows on from the above one.
DMARC reporting includes a function where a receiver can provider an override reason should a whitelist prevent a domain’s DMARC policy from applying. Microsoft does not provide this reason, and will report the action as it should be, not necessarily as it was. There is no way to know, unless you are the recipient of the email in question, whether there was a whitelist in place or not in the case of data reported by Microsoft.
That being said, as long as Avenan was setup correctly, no emails would be impacted, so the action of “none” would be applied in the context of DMARC. If there is an issue with the setup, the domain owner will notice due to interruption in the mail flow between their MS tenant and Avenan and it is their responsibility to take action.
