question

HenrikBrown-7684 avatar image
0 Votes"
HenrikBrown-7684 asked HenrikBrown-7684 commented

Sengrid Spoofing and most secure approach

Hi folks. So here is the situation.

In our organisation we work with an external supplier. That supplier uses Sengrid to send mass mailers into our organisation.

The Email address these mails come in from is spoofed so that it looks like it comes from our Organisation.

We currently exclude that email address from our SPAM policies so we do not pick it up as spoofed.

Our security team however have decided that we are to find a more secure option.

From Microsoft documentation I can see that they recommend the following to manager safe senders from most secure to least secure.

  1. Mail flow rules

  2. Outlook Safe Senders

  3. IP Allow List (connection filtering)

  4. Allowed sender lists or allowed domain lists (anti-spam policies)

Looking at Mail flow rules first I can see that it is not recommended to use a mail flow rule without any other requirement in place. Like DMARC for example.

I initially thought DMARC might be an option but I can see from the mail header for the emails from sengrid that is seems to fail DMARC with the following error

spf=pass (sender IP is xx.xx.xx.xxx) smtp.mailfrom=email.suppliercompany.com; lxxx.xx.xx; dkim=pass (signature was verified) header.d=suppliercompany.com;lxxx.xx.xx; dmarc=fail action=quarantine header.from suppliercompany.lxxx.xx.xx;compauth=fail reason=000

SPF and DKIM both pass so I am unsure why DMARC then fails? The IP listed is Sengrid and we dont have this in our SPF so I assume it passes because we are excluding the email?

If we take this from our spam filter and send the email again would it then fail SPF?

office-exchange-server-administration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @HenrikBrown-7684,

As this is a public forum, I've removed the sensitvie data like ip address and domain name inlcuded in your post for privacy concern. It's also encouraged to remove this kind of data in your furture post to protect the personal information.

0 Votes 0 ·
AndyDavid avatar image
1 Vote"
AndyDavid answered HenrikBrown-7684 commented

Instead of creating a rule, why not just allow that sending infrastructure to spoof your domain. Much easier to setup:
(This is currently rolling out - so you may not see this option for a few weeks)



https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list?view=o365-worldwide#use-the-security--compliance-center-to-create-allow-or-block-spoofed-sender-entries-in-the-tenant-allowblock-list

103551-image.png



image.png (68.3 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.



Hi Andy

By sending infrastructure you mean Sengrid? and by spoofed user that would be the email address listed in the from field? (The email address our users see when the email arrives in the inbox)

0 Votes 0 ·

Looks like in your case:

A domain pair for a spoofed sender in the Tenant Allow/Block List uses the following syntax: <Spoofed user>, <Sending infrastructure>.


YourDomain.com, suppliercompany.com

For example, you add an allow entry for the following domain pair:

Domain: gmail.com
Infrastructure: tms.mx.com
Only messages from that domain and sending infrastructure pair are allowed to spoof. Other senders attempting to spoof gmail.com aren't allowed. Messages from senders in other domains originating from tms.mx.com are checked by spoof intelligence.


https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list?view=o365-worldwide#domain-pair-syntax-for-spoofed-sender-entries-in-the-tenant-allowblock-list

0 Votes 0 ·
YukiSun-MSFT avatar image
0 Votes"
YukiSun-MSFT answered YukiSun-MSFT commented

Hi @HenrikBrown-7684,

The IP listed is Sengrid and we dont have this in our SPF so I assume it passes because we are excluding the email?

I don't think so, and based on my understanding, it will pass SPF even if the email addresses is not excluded in the spam filter.

From what I read, SPF and DKIM focus on the Return-Path in the message header, which is not necessarily the same as what is visible to the end users in the "From:" field. So my assumption is that, it passes SPF because the IP listed is included in the SPF record of the domain showed up in the Return-Path header.

As regards to the failure of DMARC, it's likely due to that the return-path domain is not aligned with the "From:" domain. As in order for DMARC to pass, "it not only requires that SPF or DKIM PASS, but it also requires the domains used by either one of those two protocols to ALIGN with the domain found in the “From” address. Only then will DMARC PASS." See the article below for more explaination about the overall logics:

All you need to know about SPF, DKIM and DMARC
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
102810-1.jpeg

With the above being said, would you mind clarifying a bit more about your main concern in this thread? Do you mean these spoofing mails can still reach users' Inbox even if it fails the DMARC?
If this is the case, I'd suggest giving it a try by removing the email address from the spam filter excluding list and see how it goes.
If it doesn't work, I assume creating a mail flow rule for emails like this could be an option. For example, the rule could be created like this:

When a message header includes... "Authentication-Results" header includes "dmarc=fail action=quarantine header.from suppliercompany.lxxxx.xx.xx;compauth=fail", reject the message...
102774-2.jpeg


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1.jpeg (68.0 KiB)
2.jpeg (24.1 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi thank you for that detailed response.

The main issue I need to remove this from our anti spam filter and then find a more secure way of allowing this email through.

Mail flow rules are suggested by Microsoft as the most secure option for allowing a 'safe sender'

So I guess a similar approach to you suggest above by only allowing emails from that sender if it has dmarc=fail action=quarantine header.from suppliercompany.lxxx.xx.xx;compauth=fail reason=000

Would that make sense?

Would that work and be more secure than excluding the email address from our anti spam filter?

0 Votes 0 ·

Hi @HenrikBrown-7684,

Thanks for the clarification. Then for this situation, I assume it makes sense to create a mail flow rule as you mentioned. For instance, the rule can be created as follows:
When a message header includes... "Authentication-Results" header includes "dkim=pass (signature was verified) header.d=suppliercompany.com;lxxx.xx.xx; dmarc=fail action=quarantine header.from suppliercompany.lxxx.xx.xx;compauth=fail", Set the SCL to "Bypass spam filtering":
103414-1.jpeg

Supposing it works, from my point of view, this would be more secure than excluding the email address from your anti spam policy, as the latter method will make other spoofing messages from the same email address but not sent by your supplier commpany reached the users' Inbox as well.

0 Votes 0 ·
1.jpeg (85.3 KiB)

Hi @HenrikBrown-7684,

I'd like to follow up with you to see how things are going with this thread. Feel free to post back if you still have further questions or concern on this.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·