Emails pass DMARC, still flagged as spam.

Forums › IT Pro and developers › Emails pass DMARC, still flagged as spam.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#298911 27-Jul-2022 09:31

We have an old application that sends various reports via email both internally any externally. It uses an even older mailer called BLAT. This is integrated into the app and we don't have any way to change it.

We use Microsoft 365 for email, and have configure a connector to relay the emails coming from this application. We have configured a connector in 365 to relay the outbound email. The connector is locked down to the application servers public IP.

SPF, DKIM, and DMARC are configured (although DMARC is currently set to not enforce any policy).

The outbound emails from the application pass DMARC without any issues, yet in the past couple of months they are more and more often being flagged as spam by the recipients - including ones send to our own internal users.

Does anyone have any ideas? Would enforcing a DMARC policy make any difference since the emails in question are passing DMARC any way?

Below is the DMARC test results from an email generation from the application.

Home: Work:
Home Work

SirHumphreyAppleby

2939 posts

Uber Geek
+1 received by user: 1860

#2946821 27-Jul-2022 10:42

Does anyone have any ideas? Would enforcing a DMARC policy make any difference since the emails in question are passing DMARC any way?

DKIM and SPF are important, but I've found having a DMARC policy makes little difference. The best you can probably do is flag the messages as not spam.

I recently setup an e-mail system for a startup. The site generates quite a few short notification e-mails and the DMARC policy is set to only notify. None of the Microsoft domains (or any customer domains pointing to an Outlook MX) seem to have had any delivery problems.

I would do an RBL check on your hosts to see if they are blacklisted anywhere.

Are the recipients on Microsoft-hosted domains or are they appearing a spam elsewhere? E.g. in GMail.

outdoorsnz

694 posts

Ultimate Geek
+1 received by user: 303

ID Verified

#2946822 27-Jul-2022 10:44

Have you added all the external IP addresses to the SPF record? i.e. The mail relay, office 365 etc.

Check that you are not on a blacklist. Handy website to check all records. https://mxtoolbox.com/spf.aspx

Also look at the content of the email as some of the wording might be similar to spam emails...

Do you have errors in the mail logs?

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2946879 27-Jul-2022 11:23

SirHumphreyAppleby:

DKIM and SPF are important, but I've found having a DMARC policy makes little difference. The best you can probably do is flag the messages as not spam.

I recently setup an e-mail system for a startup. The site generates quite a few short notification e-mails and the DMARC policy is set to only notify. None of the Microsoft domains (or any customer domains pointing to an Outlook MX) seem to have had any delivery problems.

I would do an RBL check on your hosts to see if they are blacklisted anywhere.

Are the recipients on Microsoft-hosted domains or are they appearing a spam elsewhere? E.g. in GMail.

Flagging the messages as safe is fine for internal recipients, but I'd rather avoid asking a large number of our customers to whitelist our domain.

The recipients I've looked at have all been Microsoft so far, but I do need to check some others.

We aren't blacklisted anywhere, and all other emails from us to the same recipients go straight into their inboxes - it's only the ones from this application. We also have scan to email from some MFPs using the same connector and those don't get flagged either.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2946880 27-Jul-2022 11:28

outdoorsnz:

Have you added all the external IP addresses to the SPF record? i.e. The mail relay, office 365 etc.

Check that you are not on a blacklist. Handy website to check all records. https://mxtoolbox.com/spf.aspx

Also look at the content of the email as some of the wording might be similar to spam emails...

Do you have errors in the mail logs?

Yep, SPF record is definitely correct. Not on any blacklist. Nothing in our logs to indicate any problem.

Subjects lines, ~~message bodies~~, and attachments vary greatly. The only commonality I can see is that they are all coming from this one application.

EDIT: Actually, most (possibly all) have blank message bodies. They just have a subject line and attachment. That could be it I suppose?

SirHumphreyAppleby

2939 posts

Uber Geek
+1 received by user: 1860

#2946892 27-Jul-2022 11:51

Paul1977:

EDIT: Actually, most (possibly all) have blank message bodies. They just have a subject line and attachment. That could be it I suppose?

Assuming other messages from the same recipient are going through the same systems, then it's almost certainly related to the content of the message. A blank message body with an attachment probably does look a bit suspect to some people.

Do you have any control over how Blat is used at all? If the app is just calling the 'blat' binary in a directory, you could try updating it to the latest version or creating a .cmd script and use CMail or PowerShell to send the actual message with some additional content to make it look a little less spam-like.

outdoorsnz

694 posts

Ultimate Geek
+1 received by user: 303

ID Verified

#2946911 27-Jul-2022 13:05

Paul1977:

EDIT: Actually, most (possibly all) have blank message bodies. They just have a subject line and attachment. That could be it I suppose?

I wonder if the attachment is what is getting flagged as potentially unsafe? But I guessing to inline the attachment as a link in the message body could be a PITA. Check with the relay website if they have any suggestions around attachments.

Edit. Spark Post Attachment Advice. https://support.sparkpost.com/docs/user-guide/sending-attachments

Mighty Ape

Shop now at Mighty Ape (affiliate link).

muppet

2643 posts

Uber Geek
+1 received by user: 1660

Trusted

#2946914 27-Jul-2022 13:31

I find getting yourself into dnswl.org helps - that (whitelist) RBL is checked by SpamAssassin at least.

Another good thing way to test why it's spam is https://www.mail-tester.com/

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2947196 28-Jul-2022 09:10

outdoorsnz:

I wonder if the attachment is what is getting flagged as potentially unsafe? But I guessing to inline the attachment as a link in the message body could be a PITA. Check with the relay website if they have any suggestions around attachments.

Edit. Spark Post Attachment Advice. https://support.sparkpost.com/docs/user-guide/sending-attachments

I don't think it's the attachment. If I compose the same message in Outlook (same subject line, same attachment) there is no issue.

muppet:

I find getting yourself into dnswl.org helps - that (whitelist) RBL is checked by SpamAssassin at least.

Another good thing way to test why it's spam is https://www.mail-tester.com/

Mail-tester gives a score of 7.5/10 (or "almost perfect").

However, doing some testing by adding content to the message body it seems less likely to be flagged (sending to my personal 365 email address). Just need to test with a few variations of of "discalimers" I can add to the message body that work.

To do this via the app I'd have to modify every report individually (there are a lot). But I should instead be able to add them with an Exchange transport rule to only add it to emails that have "BLAT" in the headers.

jhsol

102 posts

Master Geek
+1 received by user: 27

#2947583 28-Jul-2022 21:29

Just an FYI dmarc doesnt mean it bypasses spam filters, its a tool to reduce the spoofing of emails from your domain (as well as provide a way to tell external mail servers what to do with those that attempt to spoof with a quarantine or block flag).

So if its being flagged as spam, it most likely is to do with its content. I had a simlar issue where my email signature was causing it to get flagged by spam when I had a url to make a teams call to me (and I also had DMARC compliance with my emails). Wierdly enough, it was always when i sent it to external O365 users.

I would start off with the content of the email and begin by stripping out any attachments, images and URL links from the email and begin from there. Then slowly add them back in one by one.

freitasm

BDFL - Memuneh
80653 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2947587 28-Jul-2022 22:05

Either the above or the SPF record is faulty - have you checked it to make sure any domain doesn't resolve past ten IP addresses (the limit)?

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

SirHumphreyAppleby

2939 posts

Uber Geek
+1 received by user: 1860

#2947675 29-Jul-2022 06:13

freitasm:

Either the above or the SPF record is faulty - have you checked it to make sure any domain doesn't resolve past ten IP addresses (the limit)?

I think you mean the ten DNS query limit as each record can contain multiple IPs and subnets and include other records by reference (hence the query limit).

Lego

Shop now for Lego sets and other gifts (affiliate link).

freitasm

BDFL - Memuneh
80653 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2947685 29-Jul-2022 08:22

Yes, about that.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2947797 29-Jul-2022 13:02

Definitely not faulty SPF, and isn't near the query limit.

Spam Assassin (via mail-tester) identified a couple of issues, all due to the BLAT mailer, but not enough that they should be getting blocked.

As far as content goes, there isn't anything to strip except the attachment - and the attachment is required.

I'm now using a transport rule to add a simple disclaimer text "This email was automatically generated by company_name" so the the message body is no longer completely empty. Will just have to see how that goes.