I will try and set the scene for you here for an exchange server OWA bug we have stumbled across on April 12th 2021.
GLOSSARY
- yourdomain.com is your email domain on the Exchange server
- senderdomain.com is the person who has sent an email to you to yourdomain.com
- REDIRECT = when you send a copy of the email to another account as the SENDER
- FORWARD = when you send a copy of the email as a FWD as youryourdomain.com.
The following is a list of criteria for you to experience the issue.
Criteria 1
You have configured info@yourdomain.com to send a copy to bobby@yourdomain.com and andy@yourdomain.com. This is normal, a lot of companies will do this so that they can distribute the emails.
Criteria 2
You have received the original message from senderdomain.com and it is actually in your inbox, so you have received the message, but straight after that you have received a MAILER-DAEMON message which has all the diagnostic/bounce information.
That bounce message will contain a lot of information but most specifically it will have the following line in it.
mx1.emailsrvr.com
Remote Server returned '<mx1.emailsrvr.com #5.7.1 smtp; 550 5.7.1 Email rejected per DMARC policy for sendersdomain.com (G15)>'
Criteria 3
To do the initial copying to the two accounts, inside of info@ you will have set up a rule in OWA like below:
- After the message arrives and..
- Apply to all messages
- Do the following...
- REDIRECT the message to bobby@yourdomain.com and andy@yourdomain.com.
So what will happen is any emails sent to info@, a copy goes to bobby@ and andy@.
The Issue/Bug in Exchange Server
When you use the REDIRECT rule in OWA, it sends the email to your other accounts as if it's being sent by the sender, in this case, bob@sendersdomain.com and what happens is, a bug in OWA/Exchange replaces the DMARC record with the one from your domain and if the DMARC setting at sendersdomain.com has the REJECT rule in it, then OWA will bounce the email, even though oddly enough it accepted it in the first place to the inf@ account.
Here is an example of the DMARC at sendersdomain.com and notice it has the reject rule.
"v=DMARC1; p=reject; pct=100; rua=mailto:dmarcaggregate@sendersdomain.com; ruf=mailto:dmarcforensic@sendersdomain.com;"
One solution might be to contact the admin for sendersdomain.com and ask them to remove the reject rule, but in a lot of cases, this is not practical.
Our Solution/Workaround
This problem is not going to happen with all domains, so a workaround is to write a rule specifically by applying the FORWARDING rule to the sendersdomain.com. Remember FORWARDING is different from REDIRECTING.
So, create a new rule like the one below so instead of REDIRECTING use FORWARDING instead. This will eliminate the DMARC lookup because when using forwarding in OWA, you are essentially sending from info@ account so DMARC will pass.
So now in your rules for info@ you will have your special rule for senderdomain.com.
Job done!