Header Envelope Fields And Tracking
In short, when and where does Exchange add the Envelope From fields in the mail flow? Can I use EMS to find emails missing the Envelope From field or if the field is null / empty? In other words, can I track the Envelope From field to pinpoint when emails are sent without the Envelope From field?
We are working to clean up our sender authentication focusing on what we can fix quickly here internally. However, the DMARC reports are not clear enough to explain why we are failing SPF. Even using a DMARC subscription tool.
We have our Exchange server (on prem) which sends to an encryption gateway (on prem and DKIM signer) and that sends to a security gateway (cloud). The DMARC reports show Domain1 and Domain2 as our and we see the DKIM signature, thus proving it is coming from our internal email server.
What I do not understand is how ~10% of the time Domain3 changes to our security gateway which uses the allowed IP netblock that we include in our SPF record, but it fails SPF. Looking into the SPF records of that sending domain (Domain3), there are no existing SPF records which may explain the failing. One DMARC report includes enough information that shows when Domain3 is the security gateway, the “envelope_from” field is empty. When the “envelope_from” field contains our address, Domain3 maintains our domain and it passes SPF.
To reiterate, when in the mail flow does Exchange add the Envelope From field? Can that be tracked? What addresses would not add / include the envelope from field, e.g. distribution groups, shared mailboxes, or unauthenticated senders? Any information on this would be grateful, even if it is argumentative as that would lead me to a better direction hopefully.
I am trying “New-TransportRule -Name “Find Empty Envelope From” -HeaderContainsMessageHeader “envelope” -HeaderContainsWords “envelope”,”envelope from”,”envelope_from” -ExceptIfRecipientDomainIs “workdomain.com” -BlindCopyTo my work address” to just track any email that may contain envelope to or from field to get more specific later. Zero hits in a few hours of having it in place.
Justin
In short, when and where does Exchange add the Envelope From fields in the mail flow? Can I use EMS to find emails missing the Envelope From field or if the field is null / empty? In other words, can I track the Envelope From field to pinpoint when emails are sent without the Envelope From field? We are working to clean up our sender authentication focusing on what we can fix quickly here internally. However, the DMARC reports are not clear enough to explain why we are failing SPF. Even using a DMARC subscription tool. We have our Exchange server (on prem) which sends to an encryption gateway (on prem and DKIM signer) and that sends to a security gateway (cloud). The DMARC reports show Domain1 and Domain2 as our and we see the DKIM signature, thus proving it is coming from our internal email server. What I do not understand is how ~10% of the time Domain3 changes to our security gateway which uses the allowed IP netblock that we include in our SPF record, but it fails SPF. Looking into the SPF records of that sending domain (Domain3), there are no existing SPF records which may explain the failing. One DMARC report includes enough information that shows when Domain3 is the security gateway, the “envelope_from” field is empty. When the “envelope_from” field contains our address, Domain3 maintains our domain and it passes SPF. To reiterate, when in the mail flow does Exchange add the Envelope From field? Can that be tracked? What addresses would not add / include the envelope from field, e.g. distribution groups, shared mailboxes, or unauthenticated senders? Any information on this would be grateful, even if it is argumentative as that would lead me to a better direction hopefully. I am trying “New-TransportRule -Name “Find Empty Envelope From” -HeaderContainsMessageHeader “envelope” -HeaderContainsWords “envelope”,”envelope from”,”envelope_from” -ExceptIfRecipientDomainIs “workdomain.com” -BlindCopyTo my work address” to just track any email that may contain envelope to or from field to get more specific later. Zero hits in a few hours of having it in place. Justin Read More