Score:6

Mail from Teams forwarded to Gmail marked as spam due to DMARC failure

cn flag

When I write a chat message in Microsoft Teams the receiver gets an e-mail notification on her Office 365 account ([email protected]) when she is offline in Teams. The receiver set it up so that all her mails are forwarded to her personal Gmail account ([email protected]). For normal mails sent to [email protected] this works as expected. But all Teams notifications are marked as spam. Google says that DMARC fails (see below).

We have a custom DNS server with the following TXT records:

TXT records for htlvb.at

Google shows the following details for the received mail:

Google check result

And the following message source:

Delivered-To: [email protected]
Received: by 2002:a05:6102:22c6:0:0:0:0 with SMTP id a6csp126141vsh;
        Tue, 28 Sep 2021 20:57:32 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzoIoMngWwglBmEptt30Zo9LbSYdi+h60ylB7JYY70zFSXHQNhbDjrM0JhFd+XgdPAeZKJj
X-Received: by 2002:a92:ca4e:: with SMTP id q14mr3941013ilo.233.1632887852170;
        Tue, 28 Sep 2021 20:57:32 -0700 (PDT)
ARC-Seal: i=4; a=rsa-sha256; t=1632887852; cv=pass;
        d=google.com; s=arc-20160816;
        b=uZnSPh2our1xDKqBgznYVmLU4MHkWy+9WfIBcYxGbuAOiHypyYi2pU3yByqTWDxC3m
         XD8lQzitQmtWzWPozdJmWv6DFJW5eSVogISaSrA6i8qY2wBhk8ZlukHsKjWLlRTsWD/Q
         TJa+99FG/eIio0EDYtVW+2d+WlVN9qMei8Ap/aaA1snA27wHv91lUsAGLNI2kUUvwsMA
         omJAMvTBBCgGtEa6V8s4Z7nWhkGGpwwRnxaCefPwqBCZ8QMVy8zYmk/JGTVcSSTSQdQk
         bqWRkoJlrscnt3JLAA4WUpYdNcpORAi8WuuoXs+w6uxzNxfg2EpcvNWIOwBFvOm/WVVq
         FoUg==
ARC-Message-Signature: i=4; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=message-id:subject:date:to:from:mime-version
         :authentication-results-original:dkim-signature:resent-from
         :dkim-signature;
        bh=E55te+wP9yN3LiE6nhkfEQO75W71gJHR8kTe2/Df0Tw=;
        b=tD4Bp23ESAoj05NCp/jRzInE1sMlGqNZXOsi+nnUWfyER5TWbdIsKLsKelvGxJ7Hr9
         nFt6HHQPcLHU8rzXLLZPYxDpx4AawW5jYgM3JDKxYxyPYN5NNgBqiI2GL7Vfj5QyLDS8
         /+ABSoHsePowqp/x3y9RnTtmcv6XQAr8vZ0EoUMhr3udPI0Hi4z0orBjT9aHnfT9BDHK
         v0AX75QnZ8zZ16Y3yNCnYLj9xc9lJaZMwzZsE4zmddCI7d2GGvdXJXueJf/R29Ev+uPy
         Pcb2C4OnukH2eA4vPQ7HVvoyZiAlEyO79Ijb7mUkv697n+k+2N33g5GD5dz7bpPPKOP5
         VXvw==
ARC-Authentication-Results: i=4; mx.google.com;
       dkim=pass [email protected] header.s=selector2-htlvbat-onmicrosoft-com header.b=oGc7014X;
       dkim=fail [email protected] header.s=selector1 header.b=ljvyhPFv;
       arc=pass (i=3 spf=pass spfdomain=email.teams.microsoft.com dkim=pass dkdomain=email.teams.microsoft.com dmarc=pass fromdomain=email.teams.microsoft.com);
       spf=pass (google.com: domain of [email protected] designates 40.107.22.86 as permitted sender) [email protected];
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=microsoft.com
Return-Path: <[email protected]>
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2086.outbound.protection.outlook.com. [40.107.22.86])
        by mx.google.com with ESMTPS id d71si1114034jac.48.2021.09.28.20.57.31
        for <[email protected]>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 28 Sep 2021 20:57:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 40.107.22.86 as permitted sender) client-ip=40.107.22.86;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=selector2-htlvbat-onmicrosoft-com header.b=oGc7014X;
       dkim=fail [email protected] header.s=selector1 header.b=ljvyhPFv;
       arc=pass (i=3 spf=pass spfdomain=email.teams.microsoft.com dkim=pass dkdomain=email.teams.microsoft.com dmarc=pass fromdomain=email.teams.microsoft.com);
       spf=pass (google.com: domain of [email protected] designates 40.107.22.86 as permitted sender) [email protected];
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=microsoft.com
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=b+84dTGQqJMxRJKr8rYlWitQtwVGW2kp+a6GE5F5iSIj0PYQPep5WRaZHRSogvC5ls4vqdRJy3jlh9c+Zrz/K79huChB6ukIfw7HARZlgA5CKId+HvDzIRuemRfA/mxIwTjagVz1jw4AmeR1TPAdcG53snUGO/mDuuA7Ys8RZGmXCmAJfABGfyHQb/intViZUCYqt/mQqjcOM5/OaAeJUfOwzq3ekqvBa31Tl5R4JBuSWrtOrlpwoiIUe4lFZLGKpltpal/78cnJ/0uZ7YduremGJQBsSLxgUEYgsyE6NzSNH0CBpPrhGtFVoFMf9ntav6WMvo9Y6qFX1ywNlB7eXg==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=E55te+wP9yN3LiE6nhkfEQO75W71gJHR8kTe2/Df0Tw=; b=SYnqBFHFzvqDK90FmxKlOYC0bYq2uYl6B+mdZl24zrxgHOoEnLca8n1ITM/+M6eq0yXOzpWJXSqHCUmA/FRm//MoIMs4ob/ItGcL3tF/2LSdAwAX87QQZRaolNUos6r/UTACzkgwq5J+bC20//qkCX9GT2Y+eT3fidJtd9keokM99Veh8eNz40fhF7pgoQJkY1HlPLSbuEddB6ubPEw4EvU96J8oFZrxIC8L74Yr1ffhya1e538snyRWhOLytaeJhcQbjX6mUMrAvYncQwURCcF2/8qxqOgumP+LFGg+ipa9SdXmrRlR4IYS9fqVwqW6MpRtlo64N+jLBk5yXqFn0g==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 40.107.244.74) smtp.rcpttodomain=htlvb.at smtp.mailfrom=email.teams.microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=email.teams.microsoft.com; dkim=pass (signature was verified) header.d=email.teams.microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=email.teams.microsoft.com] dmarc=[1,1,header.from=email.teams.microsoft.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=htlvbat.onmicrosoft.com; s=selector2-htlvbat-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E55te+wP9yN3LiE6nhkfEQO75W71gJHR8kTe2/Df0Tw=; b=oGc7014X1+Xj25a1pciXq6R30XWnUOXIK7WKXpZYFhnL4qKYecdNRR6yOmNxGGyELGM+XJeDVbNkDK8ovcUq5xImeR0MhRB0eaoBeJ8ym+YkNQp+uH+V1NSh6kJr1gJPPg+d5NTYKNWTjKivjEJhsa26KW1FLDU5zaCjWPTHJ5E=
Resent-From: <[email protected]>
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=dvpLCi52bG/QTgI6BkP3kkpbW1QbZrV2Q0/PAuSCC/7mGLhLSrDte8Pm8+sdw+UU1Vl7aM+UoIhpIh+9jBC/G7Sy8VPBPqINbCTm7oLwBbmsNuW69HtCTW2wO/B6W/AUpEZFsnnnLWBJNV2LIF1i8oD5fonJzMW9zSPNFuKPlLtEoDuNG9TLs5wd+bd8fX0nmdz97c2Gx6l8DN6/8ixg/cMP4U47bB/mrtTe1sJXzpqCVmbLjk/ntvDyy8PMJfcY/ppg301HuYLglAniO85mxyKgwR1af0EEHbkJ5dV/CBpxFzDcGqaYXmVUUarILtWzl6gjN4yw57T9wo+X3tultA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=E55te+wP9yN3LiE6nhkfEQO75W71gJHR8kTe2/Df0Tw=; b=GaDbstOQWFP9Prnc3xX3BRtSNw7Z/gKFUdSmcJDF22BtGftNV+PfSUWPf+BuC8Hcxe9DlC0aI+V2RxBb2WCaf8WDg+QrJq+1KtbwLLKhmbK8iGc+QZ+0WPHieEskSVy5X0u4UIkCFvM4DCHKKlfZNU9yCFXplHC5HxCPtS9sGPCCjbeExQ0V0fL6EYjI6OjKcIif9V8Kf17HJhpEBtj4LWATbCH8b+V/1Uo9K/9jGJmVcdfpFYgaCeLiskG4ts70VRtztj+4Z8Lg/pKKKhg2rWbzfz6Qa9V+0XRLRns+Q59N3VxQ1DP400nHy0FmU/Cg6SbuH2oMyfRaLOe2DZob1w==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 40.107.244.74) smtp.rcpttodomain=htlvb.at smtp.mailfrom=email.teams.microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=email.teams.microsoft.com; dkim=pass (signature was verified) header.d=email.teams.microsoft.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=email.teams.microsoft.com] dmarc=[1,1,header.from=email.teams.microsoft.com])
Received: from SV0P279CA0027.NORP279.PROD.OUTLOOK.COM (2603:10a6:f10:12::14) by HE1PR0101MB2284.eurprd01.prod.exchangelabs.com (2603:10a6:3:24::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.18; Wed, 29 Sep 2021 03:57:25 +0000
Received: from HE1EUR01FT063.eop-EUR01.prod.protection.outlook.com (2603:10a6:f10:12:cafe::15) by SV0P279CA0027.outlook.office365.com (2603:10a6:f10:12::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.14 via Frontend Transport; Wed, 29 Sep 2021 03:57:25 +0000
Authentication-Results: spf=pass (sender IP is 40.107.244.74) smtp.mailfrom=email.teams.microsoft.com; htlvb.at; dkim=pass (signature was verified) header.d=email.teams.microsoft.com;htlvb.at; dmarc=pass action=none header.from=email.teams.microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of email.teams.microsoft.com designates 40.107.244.74 as permitted sender) receiver=protection.outlook.com; client-ip=40.107.244.74; helo=NAM12-MW2-obe.outbound.protection.outlook.com;
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (40.107.244.74) by HE1EUR01FT063.mail.protection.outlook.com (10.152.1.51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.13 via Frontend Transport; Wed, 29 Sep 2021 03:57:24 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RscPHkD9NUWEZDU6mMlRUlnrkr10VueiAbO5UCtKQESHJGV8/MXj7WUe3MTz4TTZ85CG0fPo7A6xegE85fEiCo7OeW1MExWfcaiOI3D/TVx3kxN4eCQ8jZDHpvM8Wj/6TBMqv0QT8l1v/Pj0DyEuNUktExRfWdCLnBMommkZSAVc11Pr0RuLt+NOpNnv7GHiZKyYW04RxiwaWLaDQlg8VCMtSrjDqVr9sT9MiihEhRrrlwkuU08OWHRRUSFQvL7robHFWJfmWsWBcuBrK2/SQPmCcsgvd8qyX8JDYrh/OSBf2AfXYNjGP4FKFffWDg14LOaJ/JtxwOSu8kw+xZtz8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=E55te+wP9yN3LiE6nhkfEQO75W71gJHR8kTe2/Df0Tw=; b=GAACYoHRtSgpZSnvtRg/AqWzgagFvrGsAdZYP2lTwLjksAtr2HU6+xsL8/6ot/8TPYxHFMnIm6ZECCy97dcRi3WMzP61ZK8sgrnpgmSrdYs5nHXn5Ss1+wAE+Y3r31IKjQl+JXjdMXBbq3q/L+TCZg5b5XAdPG4zN2ZqIwkx+RCtJ254eI1J0amt+mnU5/kubHr1SpnGFOOH9UNCCGCvlkUEqXBHjHPwTUXXf7hA8v8c7bBifaoBwEqsxbzj8hlRkXm5588xLoYDiFCYVSP3CDX2nKw4EgrQzQZhs4RNMBUioHbNthecNr54f6BTKG0ZdyyLJA73uUZGABErIqwcAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 52.169.9.119) smtp.rcpttodomain=htlvb.at smtp.mailfrom=email.teams.microsoft.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=email.teams.microsoft.com; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.teams.microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E55te+wP9yN3LiE6nhkfEQO75W71gJHR8kTe2/Df0Tw=; b=ljvyhPFvTOVOMZ8FnU0+gaKZ584PM1fgE/iFYRhdSuxqweo1cjiyQB7WKIxAByvytt49b4SeCGLs234qzjqNtNtoE2O/2KdDhcQYcWJJ1fNT7zhdKMo1dtMyxXshOPtz6IyibKjQl/qXDgMO1pWp70J7M/UK57ZhK4HxiNPBa0s=
Received: from BN0PR04CA0116.namprd04.prod.outlook.com (2603:10b6:408:ec::31) by BN6PR2001MB1028.namprd20.prod.outlook.com (2603:10b6:404:a5::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.18; Wed, 29 Sep 2021 03:57:21 +0000
Received: from BN8NAM12FT067.eop-nam12.prod.protection.outlook.com (2603:10b6:408:ec:cafe::f2) by BN0PR04CA0116.outlook.office365.com (2603:10b6:408:ec::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.14 via Frontend Transport; Wed, 29 Sep 2021 03:57:21 +0000
Authentication-Results-Original: spf=pass (sender IP is 52.169.9.119) smtp.mailfrom=email.teams.microsoft.com; htlvb.at; dkim=none (message not signed) header.d=none;htlvb.at; dmarc=pass action=none header.from=email.teams.microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of email.teams.microsoft.com designates 52.169.9.119 as permitted sender) receiver=protection.outlook.com; client-ip=52.169.9.119; helo=RD2818788C64D3;
Received: from RD2818788C64D3 (52.169.9.119) by BN8NAM12FT067.mail.protection.outlook.com (10.13.182.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.7 via Frontend Transport; Wed, 29 Sep 2021 03:57:20 +0000
MIME-Version: 1.0
From: Teamsuser in Teams <[email protected]>
To: [email protected]
Date: 29 Sep 2021 03:57:20 +0000
Subject: Teamsuser sent a message
Content-Type: multipart/related; type="text/html"; boundary=--boundary_1532582_b1ce148d-f829-4e2c-bdd5-7c28f0654e00
Message-ID: <[email protected]>
Return-Path: [email protected]
X-EOPAttributedMessage: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f530b62b-f065-4402-534b-08d982fd3f5e
X-MS-TrafficTypeDiagnostic: BN6PR2001MB1028:|HE1PR0101MB2284:
X-Microsoft-Antispam-PRVS: <HE1PR0101MB2284639849CCE83E988AE61CB0A99@HE1PR0101MB2284.eurprd01.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:741;OLM:741;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: h/7Tw6AbOKIHHYkQBtHZfNkSxgOMVt8CrtiVq6s0bx6F986IyxuAroO9U85klZ3YmnfQcT7bswk+uvuHaV3LOtsN3UwNShznERu4oz2rz1vhK/fHBH/uNxKcImO9YxjMX2WBrpFj1vJdJ2h4mQr2XWiShPwEfs8tD19T2h3pyQIYXzK58IIHlV6f3Q+xn55NTSXjpX/TEnJkptcN6KrsuF+9WksjKhl8p7WhiItZjLbz/K9M7HtogJoTwoybcdRCbG3mfNNBPY+ABUYrVm01bbkRgTduVdOHEEv/PUmLajB2cwW45EGT5ykmWv7rpOf8E8R1BXuegUEYhvW8WTdV9LdAG86Y4vWv6pjfXpABlmtEH15XxJRVx9xqa0/WpJZs0b1uQxmhCO/oRcdMX/pcgKsYNI8hiwvRHvca5Y4KA3oSSVTm4s7SG9yHtC8i5Wfjn5CX4GpcHL4m8dwX6tgnwAG4qQfloM17gcUP1MRo2p0UN9OtPJXwcFi4jUSBMYmpXBw8HQIalj234k+VNJFD0ilPrfromhWlklekO9e+OCJkwV34VaVMGBpLPTSOSbb4365D7Giqvi63HpSFks4iHWhz42fyUU5F7oTzvudzTOj9WuwqeD1G2FtEzEvaI2Nb0grtESjzBHJvezkL24D0LrcKJ7GbF3vHZSsgFZcckyf+oX9CMXfRWsqWoXoyx5SMPnzKfE3vmpg157bX92nVBeGOMfmj6wIlk2oXllEGKPThmjtklmJxLCSIUU9bI2LO
X-Forefront-Antispam-Report-Untrusted: CIP:52.169.9.119;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:RD2818788C64D3;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(316002)(7066003)(2906002)(9686003)(36906005)(83380400001)(956004)(508600001)(15650500001)(336012)(6916009)(36736006)(31696002)(5660300002)(166002)(8936002)(6496006)(186003)(81166007)(33964004)(31686004)(10290500003)(52230400001)(19627405001)(121820200001)(26005)(6486002)(68406010)(66576008)(8676002)(86362001)(356005)(18121605002);DIR:OUT;SFP:1101;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2001MB1028
X-EOPTenantAttributedMessage: 81de7086-f6b3-4e4b-9faf-18d4a406e66d:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: HE1EUR01FT063.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: HE1EUR01FT063.eop-EUR01.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: a3122bf3-1f58-4a70-b044-08d982fd3cc8
X-LD-Processed: 81de7086-f6b3-4e4b-9faf-18d4a406e66d,ExtFwd
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: T4eFMp/jMeVmho5YpcyGuy83bu7Ez80FJyv75fXrnABkWlotQUCpo7T3mi64vRaltFHz1NXjFn0yV2z85TezXO0YQR+KeIx1/nEVnZE37LpAiKKGbvONwl3QhTt90HNZSnT8sHY+zfbdUUXlAtQi5JBOOZ3YQcpj/h/7F0h1f4naRFFFlKEQXNyffZZChzVEEAy2wdyCKtN/FtppRbLEFedf187DpRYG3uBzxKdWNiFEMM8Jx/E4/kUmqIkRuM4z7FnO1bxXoKThZIKvQ5jhgzL5yILBnjpzKE5gtqBnTu3DTmDusLOADcc4sLTCHb31xSiRepzjCnYBknqwKMtD5S1Y33Mg+1FDfEFpezPYylQ6mUSzOfBXkZ5r0/M8AsSP7haegpy3CSciwoAebhoBPhuSYTi0QFJJjlTTnMsUiR5KFCYnsWqgLWbmCtzW9sF27t26g1kQMIYQGkZGpSRbHI9kxatE5uXRi476ykGIp0lz62wltpV2Ay+cDvY6DdVa4LvCS4u0QdL1BJiJxASynNqlDPPFF17uF7fDeTjqYc4l+aGcS7lsNRAPQwmQOvKFJ1ET3RfHEAD1uOQ2P+pTLRtyCOXwJmfD7aI4QmZqrNd8PnIaSR99clB01elvc62Nr7xPlxHMnetGCeqjdG12yRIkV0bcRVH3AlqWqa+5TgHFiYD3lOzg4J3Ty+oeE4UB7AlNAA75h5IgNpIj0Sy+j/L9AvPU4Dg9Mp/AV/4DqoauBloHFozC6RMNIgawLv3dM+/EYLqTFSNAhF58rUEkZXveRi4NBuQC0qpEUS38m7c=
X-Forefront-Antispam-Report: CIP:40.107.244.74;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM12-MW2-obe.outbound.protection.outlook.com;PTR:mail-mw2nam12on2074.outbound.protection.outlook.com;CAT:NONE;SFS:(7066003)(8676002)(33964004)(336012)(19627405001)(15650500001)(6496006)(9686003)(7636003)(34206002)(83380400001)(70586007)(5660300002)(956004)(26005)(36736006)(31696002)(121820200001)(36906005)(6486002)(10290500003)(31686004)(786003)(68406010)(316002)(2906002)(166002)(66576008)(86362001)(52230400001)(508600001)(18121605002);DIR:OUT;SFP:1101;
X-ExternalRecipientOutboundConnectors: 81de7086-f6b3-4e4b-9faf-18d4a406e66d
X-MS-Exchange-ForwardingLoop: [email protected];81de7086-f6b3-4e4b-9faf-18d4a406e66d
X-OriginatorOrg: htlvb.at
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2021 03:57:24.6461 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f530b62b-f065-4402-534b-08d982fd3f5e
X-MS-Exchange-CrossTenant-Id: 81de7086-f6b3-4e4b-9faf-18d4a406e66d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=e36bbca1-9fe2-47ad-87fe-6012ed72a406;Ip=[52.169.9.119];Helo=[RD2818788C64D3]
X-MS-Exchange-CrossTenant-AuthSource: HE1EUR01FT063.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0101MB2284

----boundary_1532582_b1ce148d-f829-4e2c-bdd5-7c28f0654e00
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64

... body truncated ...

The receiver not only forwards the mail, but she also keeps the original message in her Office 365 mailbox. Here are the headers of the same mail:

Received: from HE1PR0101MB2284.eurprd01.prod.exchangelabs.com
 (2603:10a6:3:24::24) by AM9PR01MB8298.eurprd01.prod.exchangelabs.com with
 HTTPS; Wed, 29 Sep 2021 03:57:30 +0000
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
 b=dvpLCi52bG/QTgI6BkP3kkpbW1QbZrV2Q0/PAuSCC/7mGLhLSrDte8Pm8+sdw+UU1Vl7aM+UoIhpIh+9jBC/G7Sy8VPBPqINbCTm7oLwBbmsNuW69HtCTW2wO/B6W/AUpEZFsnnnLWBJNV2LIF1i8oD5fonJzMW9zSPNFuKPlLtEoDuNG9TLs5wd+bd8fX0nmdz97c2Gx6l8DN6/8ixg/cMP4U47bB/mrtTe1sJXzpqCVmbLjk/ntvDyy8PMJfcY/ppg301HuYLglAniO85mxyKgwR1af0EEHbkJ5dV/CBpxFzDcGqaYXmVUUarILtWzl6gjN4yw57T9wo+X3tultA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=E55te+wP9yN3LiE6nhkfEQO75W71gJHR8kTe2/Df0Tw=;
 b=GaDbstOQWFP9Prnc3xX3BRtSNw7Z/gKFUdSmcJDF22BtGftNV+PfSUWPf+BuC8Hcxe9DlC0aI+V2RxBb2WCaf8WDg+QrJq+1KtbwLLKhmbK8iGc+QZ+0WPHieEskSVy5X0u4UIkCFvM4DCHKKlfZNU9yCFXplHC5HxCPtS9sGPCCjbeExQ0V0fL6EYjI6OjKcIif9V8Kf17HJhpEBtj4LWATbCH8b+V/1Uo9K/9jGJmVcdfpFYgaCeLiskG4ts70VRtztj+4Z8Lg/pKKKhg2rWbzfz6Qa9V+0XRLRns+Q59N3VxQ1DP400nHy0FmU/Cg6SbuH2oMyfRaLOe2DZob1w==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
 40.107.244.74) smtp.rcpttodomain=htlvb.at
 smtp.mailfrom=email.teams.microsoft.com; dmarc=pass (p=reject sp=reject
 pct=100) action=none header.from=email.teams.microsoft.com; dkim=pass
 (signature was verified) header.d=email.teams.microsoft.com; arc=pass (0
 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=email.teams.microsoft.com]
 dmarc=[1,1,header.from=email.teams.microsoft.com])
Received: from SV0P279CA0027.NORP279.PROD.OUTLOOK.COM (2603:10a6:f10:12::14)
 by HE1PR0101MB2284.eurprd01.prod.exchangelabs.com (2603:10a6:3:24::24) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.18; Wed, 29 Sep
 2021 03:57:25 +0000
Received: from HE1EUR01FT063.eop-EUR01.prod.protection.outlook.com
 (2603:10a6:f10:12:cafe::15) by SV0P279CA0027.outlook.office365.com
 (2603:10a6:f10:12::14) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.14 via Frontend
 Transport; Wed, 29 Sep 2021 03:57:25 +0000
Authentication-Results: spf=pass (sender IP is 40.107.244.74)
 smtp.mailfrom=email.teams.microsoft.com; htlvb.at; dkim=pass (signature was
 verified) header.d=email.teams.microsoft.com;htlvb.at; dmarc=pass action=none
 header.from=email.teams.microsoft.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of
 email.teams.microsoft.com designates 40.107.244.74 as permitted sender)
 receiver=protection.outlook.com; client-ip=40.107.244.74;
 helo=NAM12-MW2-obe.outbound.protection.outlook.com;
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (40.107.244.74)
 by HE1EUR01FT063.mail.protection.outlook.com (10.152.1.51) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4544.13 via Frontend Transport; Wed, 29 Sep 2021 03:57:24 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=RscPHkD9NUWEZDU6mMlRUlnrkr10VueiAbO5UCtKQESHJGV8/MXj7WUe3MTz4TTZ85CG0fPo7A6xegE85fEiCo7OeW1MExWfcaiOI3D/TVx3kxN4eCQ8jZDHpvM8Wj/6TBMqv0QT8l1v/Pj0DyEuNUktExRfWdCLnBMommkZSAVc11Pr0RuLt+NOpNnv7GHiZKyYW04RxiwaWLaDQlg8VCMtSrjDqVr9sT9MiihEhRrrlwkuU08OWHRRUSFQvL7robHFWJfmWsWBcuBrK2/SQPmCcsgvd8qyX8JDYrh/OSBf2AfXYNjGP4FKFffWDg14LOaJ/JtxwOSu8kw+xZtz8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=E55te+wP9yN3LiE6nhkfEQO75W71gJHR8kTe2/Df0Tw=;
 b=GAACYoHRtSgpZSnvtRg/AqWzgagFvrGsAdZYP2lTwLjksAtr2HU6+xsL8/6ot/8TPYxHFMnIm6ZECCy97dcRi3WMzP61ZK8sgrnpgmSrdYs5nHXn5Ss1+wAE+Y3r31IKjQl+JXjdMXBbq3q/L+TCZg5b5XAdPG4zN2ZqIwkx+RCtJ254eI1J0amt+mnU5/kubHr1SpnGFOOH9UNCCGCvlkUEqXBHjHPwTUXXf7hA8v8c7bBifaoBwEqsxbzj8hlRkXm5588xLoYDiFCYVSP3CDX2nKw4EgrQzQZhs4RNMBUioHbNthecNr54f6BTKG0ZdyyLJA73uUZGABErIqwcAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 52.169.9.119) smtp.rcpttodomain=htlvb.at
 smtp.mailfrom=email.teams.microsoft.com; dmarc=pass (p=reject sp=reject
 pct=100) action=none header.from=email.teams.microsoft.com; dkim=none
 (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=email.teams.microsoft.com; s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=E55te+wP9yN3LiE6nhkfEQO75W71gJHR8kTe2/Df0Tw=;
 b=ljvyhPFvTOVOMZ8FnU0+gaKZ584PM1fgE/iFYRhdSuxqweo1cjiyQB7WKIxAByvytt49b4SeCGLs234qzjqNtNtoE2O/2KdDhcQYcWJJ1fNT7zhdKMo1dtMyxXshOPtz6IyibKjQl/qXDgMO1pWp70J7M/UK57ZhK4HxiNPBa0s=
Received: from BN0PR04CA0116.namprd04.prod.outlook.com (2603:10b6:408:ec::31)
 by BN6PR2001MB1028.namprd20.prod.outlook.com (2603:10b6:404:a5::23) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.18; Wed, 29 Sep
 2021 03:57:21 +0000
Received: from BN8NAM12FT067.eop-nam12.prod.protection.outlook.com
 (2603:10b6:408:ec:cafe::f2) by BN0PR04CA0116.outlook.office365.com
 (2603:10b6:408:ec::31) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4566.14 via Frontend
 Transport; Wed, 29 Sep 2021 03:57:21 +0000
Authentication-Results-Original: spf=pass (sender IP is 52.169.9.119)
 smtp.mailfrom=email.teams.microsoft.com; htlvb.at; dkim=none (message not
 signed) header.d=none;htlvb.at; dmarc=pass action=none
 header.from=email.teams.microsoft.com;
Received-SPF: Pass (protection.outlook.com: domain of
 email.teams.microsoft.com designates 52.169.9.119 as permitted sender)
 receiver=protection.outlook.com; client-ip=52.169.9.119; helo=RD2818788C64D3;
Received: from RD2818788C64D3 (52.169.9.119) by
 BN8NAM12FT067.mail.protection.outlook.com (10.13.182.153) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.4566.7 via Frontend Transport; Wed, 29 Sep 2021 03:57:20 +0000
MIME-Version: 1.0
From: "=?utf-8?B?el90ZXN0c2NodWVsZXIgel90ZXN0c2NodWVsZXIgaW4gVGVhbXM=?="
 <[email protected]>
To: [email protected]
Date: 29 Sep 2021 03:57:20 +0000
Subject: =?utf-8?B?el90ZXN0c2NodWVsZXIgc2VudCBhIG1lc3NhZ2U=?=
Content-Type: multipart/related; type="text/html";
 boundary=--boundary_1532582_b1ce148d-f829-4e2c-bdd5-7c28f0654e00
Message-ID:
 <[email protected]>
Return-Path: [email protected]
X-EOPAttributedMessage: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f530b62b-f065-4402-534b-08d982fd3f5e
X-MS-TrafficTypeDiagnostic: BN6PR2001MB1028:|HE1PR0101MB2284:
X-Microsoft-Antispam-PRVS:
 <BN6PR2001MB10281AD7543FDFF6DA55E203B0A99@BN6PR2001MB1028.namprd20.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:741;OLM:741;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original:
 h/7Tw6AbOKIHHYkQBtHZfNkSxgOMVt8CrtiVq6s0bx6F986IyxuAroO9U85klZ3YmnfQcT7bswk+uvuHaV3LOtsN3UwNShznERu4oz2rz1vhK/fHBH/uNxKcImO9YxjMX2WBrpFj1vJdJ2h4mQr2XWiShPwEfs8tD19T2h3pyQIYXzK58IIHlV6f3Q+xn55NTSXjpX/TEnJkptcN6KrsuF+9WksjKhl8p7WhiItZjLbz/K9M7HtogJoTwoybcdRCbG3mfNNBPY+ABUYrVm01bbkRgTduVdOHEEv/PUmLajB2cwW45EGT5ykmWv7rpOf8E8R1BXuegUEYhvW8WTdV9LdAG86Y4vWv6pjfXpABlmtEH15XxJRVx9xqa0/WpJZs0b1uQxmhCO/oRcdMX/pcgKsYNI8hiwvRHvca5Y4KA3oSSVTm4s7SG9yHtC8i5Wfjn5CX4GpcHL4m8dwX6tgnwAG4qQfloM17gcUP1MRo2p0UN9OtPJXwcFi4jUSBMYmpXBw8HQIalj234k+VNJFD0ilPrfromhWlklekO9e+OCJkwV34VaVMGBpLPTSOSbb4365D7Giqvi63HpSFks4iHWhz42fyUU5F7oTzvudzTOj9WuwqeD1G2FtEzEvaI2Nb0grtESjzBHJvezkL24D0LrcKJ7GbF3vHZSsgFZcckyf+oX9CMXfRWsqWoXoyx5SMPnzKfE3vmpg157bX92nVBeGOMfmj6wIlk2oXllEGKPThmjtklmJxLCSIUU9bI2LO
X-Forefront-Antispam-Report-Untrusted:
 CIP:52.169.9.119;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:RD2818788C64D3;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(316002)(7066003)(2906002)(9686003)(36906005)(83380400001)(956004)(508600001)(15650500001)(336012)(6916009)(36736006)(31696002)(5660300002)(166002)(8936002)(6496006)(186003)(81166007)(33964004)(31686004)(10290500003)(52230400001)(19627405001)(121820200001)(26005)(6486002)(68406010)(66576008)(8676002)(86362001)(356005)(18121605002);DIR:OUT;SFP:1101;
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR2001MB1028
X-MS-Exchange-Organization-ExpirationStartTime: 29 Sep 2021 03:57:25.1118
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 f530b62b-f065-4402-534b-08d982fd3f5e
X-EOPTenantAttributedMessage: 81de7086-f6b3-4e4b-9faf-18d4a406e66d:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Transport-CrossTenantHeadersStripped:
 HE1EUR01FT063.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted:
 HE1EUR01FT063.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthSource:
 HE1EUR01FT063.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Office365-Filtering-Correlation-Id-Prvs:
 a3122bf3-1f58-4a70-b044-08d982fd3cc8
X-LD-Processed: 81de7086-f6b3-4e4b-9faf-18d4a406e66d,ExtFwd
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-Organization-SCL: 1
X-Microsoft-Antispam: BCL:1;
X-Forefront-Antispam-Report:
 CIP:40.107.244.74;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:NAM12-MW2-obe.outbound.protection.outlook.com;PTR:mail-mw2nam12on2074.outbound.protection.outlook.com;CAT:NONE;SFS:(286005)(7066003)(8676002)(33964004)(336012)(19627405001)(15650500001)(6496006)(9686003)(7636003)(8636004)(83380400001)(956004)(26005)(6916009)(36736006)(31696002)(36906005)(6486002)(10290500003)(31686004)(166002)(58800400005)(86362001)(52230400001)(1096003)(18121605002);DIR:INB;
X-MS-Exchange-ForwardingLoop:
 ForwardingHandled;81de7086-f6b3-4e4b-9faf-18d4a406e66d
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Sep 2021 03:57:24.6461
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f530b62b-f065-4402-534b-08d982fd3f5e
X-MS-Exchange-CrossTenant-Id: 81de7086-f6b3-4e4b-9faf-18d4a406e66d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=e36bbca1-9fe2-47ad-87fe-6012ed72a406;Ip=[52.169.9.119];Helo=[RD2818788C64D3]
X-MS-Exchange-CrossTenant-AuthSource:
 HE1EUR01FT063.eop-EUR01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0101MB2284
X-MS-Exchange-Transport-EndToEndLatency: 00:00:05.6837007
X-MS-Exchange-Processed-By-BccFoldering: 15.20.4566.014
X-Microsoft-Antispam-Mailbox-Delivery:
    ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506458)(944626604)(750132)(520011016);
X-Microsoft-Antispam-Message-Info: ... omitted because of a serverfault limit ...

Why does the message fail the DMARC check? Is this a problem I can fix (e.g. with another entry in our DNS server) or is this Microsoft's fault? I don't think it's Google's fault because I also tried forwarding to an iCloud account which rejects the message entirely.

anx avatar
fr flag
anx
I would not assume that DMARC check and spam classification are related. Google is perfectly capable of recognizing forwards from Microsoft, but their ham/spam decisions will still consider the average quality of inbound volume from `*.protection.outlook.com`.
Johannes Egger avatar
cn flag
Ok, thanks. This was me short-circuiting. The rejection mail I get back from iCloud says something about SPF validation so I assumed it's got to do with SPF/DKIM/DMARC without knowing too much about anti-spam techniques in general.
anx avatar
fr flag
anx
The key justification for Googles decision to disregard the senders instructions to `reject` (while still applying spam/ham classification) is that "Is it authenticated by the sender?" and "Is it unsolicited mail to the recipient?" are two not uncommonly related, but still not identical questions.
sebix avatar
ie flag
Do you have SRS in place?
anx avatar
fr flag
anx
@sebix any envelope rewriting scheme would be evident from the `smtp.mailfrom=` part of the ARC-A-R headers.
Score:9
fr flag
anx

I would assume its Microsofts fault for breaking their signature. The headers clearly say that the signature was good before forwarding, and then broken on receipt by Google. Checking the signed headers, one sticks out:

From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck

Please check the value of the X-MS-Exchange-SenderADCheck on the mail as it was submitted (e.g. in a similar mail as received by a non-forwarding recipient).

If I am correct, and Microsoft changed that particular header on forwarding, this breaking its original DKIM signature before handing it over to Google, then consult o365/exchange documentation or ask Microsoft about the purpose of this field and the reason for changing it before forwarding signed mail.

Johannes Egger avatar
cn flag
Wow, awesome catch. Looks like it changed the header from 1 to 0 (see the updated question). So this is the reason for the failed DMARC check and subsequently for a possible spam classification (Google) or rejection (iCloud) respectively?
anx avatar
fr flag
anx
*One* reason, sufficient but not necessarily *the* only one (binary match/no match does not allow conclusions beyond that). In any case, the `X-MS-` prefix indicates it is not something of which I could guess what it means, why it is signed in the first place, and why Microsoft would break their own signature over it.
Johannes Egger avatar
cn flag
Ok, thanks. Even if this might not be sufficient to get it out of the spam folder, it will bring me one step closer. I will post another question if it's not the final step.
ec flag
@anx probably it means "the outgoing mail relay verified that this message was sent by someone logged in with an Active Directory account matching the from address"
Johannes Egger avatar
cn flag
@anx I just wanted to let you know that you were right in everything you said. 1. Microsoft fixed the problem by not changing the "X-MS-Exchange-SenderADCheck" header when forwarding the message. 2. Google still classifies the message as spam although every check (SPF, DKIM, DMARC) now passes. However iCloud now accepts the message which is really what I wanted to achieve. Thanks again for your awesome answer.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.