My own mail server is sending out mail and I don't understand why

Hello, we run an exchange server on premise. In the image, x.x.4.44 address is my IP.

2022-03-08 08_43_28-dmarcian - Detail Viewer1200×350 37.3 KB

We send out through a smart host. My question is double:

1. I do not understand where my email is leaving my organization without going through my smart host, because I only have one send connector and it HAS to send through the smart host.

2. I have a DKIM key installed on the host as well as in my DNS, that transport rule is marked 1 in priority, so I don’t understand why it’s showing as non-compliant with DKIM.

I realize this may be out of scope for dmarcian, but I found the issue through the detail viewer, so I’m hoping someone can help point me in the right direction. Any idea on how can I research this?

While I don’t really know what is going on here I do find that 2 culprits of little one off type stuff like this is

1. an existing old user with a configured phone or outlook from “before” we made the change that sort of subverts the new architecture

2. calendar invites… often in combination with an old calendar configuration. For some reason calendar invites tend to be odd ducks.

In addition to the excellent insight from Cheyenne, some other possible avenue of investigations.

As you no doubt are aware, Exchange does not support DKIM signing out of the box, so I will make the assumption you have deployed a third-party plugin to add that functionality. If “none” of the data you receive shows DKIM signing, there is a strong possibility the issue is with the implementation of that plugin. I would begin there.

If you mean that you’ve configure DKIM on your smarthost to sign as it relays out, it would make sense these are not signed if they are sent directly to the internet, bypassing your smarthost.

A common scenario why emails would go directly out is often a network rule allowing devices such as network enabled scan to email devices. It may also explain the low volume.

I hope this helps.

Thanks for the replies @Asher and @cheyennethrock! any extra brains to help me figure this out is very helpful. Sorry for the late reply, the notifications for this were being spamified and I just saw it.

I don’t think that any of the scenarios @cheyennethrock said apply to my org, but one @Asher said very well may. I wish there was a way to see what email didn’t align. I would know in a second where it came from. AFAIK, all devices are set to use my exchange as a relay, so that’s why I don’t get why it would be coming directly from my host, but the thought that maybe there’s an approved, yet misconfigured device on the network makes sense. There’s only a few, so I’ll start poking around. Thanks for the ideas!