DMARC is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Wikipedia
Yes, DMARC is fully supported in all ERS mail flow scenarios. Either natively or through product supported methods.
|ERS MAIL FLOW||DMARC|
|Mail Sent to External Recipients||Natively Supported|
|Mail Sent to Cross-Tenant Recipients||Natively Supported|
|Mail Received from External Recipients||Product Supported|
|Mail Received from Cross-Tenant Recipients||Natively Supported|
Table 1: Supported DMARC Mail Flow Scenarios
Product supported means that Power365 maintains domain authenticity, through internal methods to ensure the message received by the originating Microsoft 365 tenant was DMARC compliant before it is rewritten and redirected to the destination Microsoft 365 tenant.
In other words, Power365 ERS will verify and sign the rewritten email with a secret key so that when it is received by the destination Microsoft 365 tenant, transport rules may verify its authenticity then deliver to the intended user.
Natively supported means that DKIM domain alignment is achieved when an ERS rewritten email is sent or received. Therefore, DMARC will pass when received without interruption by the intended recipient domain.
DMARC is supported natively for all ERS users when sending mail outbound to an external domain recipient or across to a neighboring Microsoft 365 tenant. Simply choose the accepted domains in use during your project setup of the DKIM signatures. This will ensure the required domains are signed to achieve domain alignment and pass DMARC. The project wizard will guide you through the process.
When an ERS user receives a reply email from an external user, it is rewritten back to the original email address. This disrupts domain alignment and Exchange Online Protection by default will mark such emails as SPAM, delivering it to the end-user’s junk email folder.
It’s very easy to do. Simply setup a new action in one of the ERS transport rules. When ERS is deployed in each tenant environment, transport rules are created to manage to flow of mail for ERS users only.
This new action will allow ERS validated emails only to by-pass SPAM and deliver the message directly to the end-user’s inbox.
During this deployment, a rule named “BT-IntegrationPro-In-DKIM” is created and configured in each Microsoft 365 tenant in scope for Email Rewrite Services.
Follow these steps to setup a new action in the ERS Transport Rule using the Exchange Admin Center.
- Login into Exchange Admin Center with your Exchange Online Administrator or higher role account.
- Navigate to Mail Flow, Rules.
- Locate the rule named, BT-IntegrationPro-In-DKIM.
- Click Edit.
- Click Add Action.
- From the Do the following… field select, Modify the Message Properties.
- Select set the spam confidence level (SCL).
- Select the specify SCL to be Bypass spam filtering.
- Select OK.
- Select Save.
PowerShell may also be used to modify the rule. Here is an example.
Set-TransportRule "BT-IntegrationPro-In-Dkim" -SetSCL –1
See the Set-TransportRule for more information.
Yes, additional actions are supported on this rule. For example, it may be desired that a disclaimer be added to these ERS emails informing the recipient they are safe and were rewritten by our authorized service provider. Another common example is to prepend to the subject line that this is an ERS email. This provides additional awareness to the end-user users receiving and sending these types of email.
If additional actions are added to this rule, please validate the changes do not impact any functionality. And do not modify the rule order or add rules that reorder the ERS rules.
Yes, Power365 health monitoring will recreate any rules that it created for ERS. If ERS is disabled in your project, all rules will automatically be removed from all tenant environments.
No, any additional actions you may have added to the rule must be added again to the newly created rule.
You may easily use Exchange Online PowerShell to export your rules to a CSV file as a back-up. For example, here is a script that will export all rules created by Power365 during the ERS deployment.
Get-TransportRule BT-Integration* | export-csv C:\Users\%USERNAME%\Downloads\BT-Integration_TransportRules.csv