Troubleshoot SPF, DKIM, and DMARC email issues

Summary

Email Gateways, SPF, DKIM, and DMARC

The following terminology is important to understand the issues described in this article.

• Email gateway – A protective firewall system for emails that checks for suspicious properties or metadata that may indicate the email is spam, a phishing email, or other message that should not be delivered to the recipient. Such properties include senders being known spammers, mismatched properties, etc. Examples of email gateways include, but are not limited to:
  • Proofpoint
  • MS Defender
  • CrowdStrike
  • Sentinel One
  • WatchGuard
  • PowerDMARC
• Sender Policy Framework (SPF) – A list of authorized senders who can send emails on your behalf. If an email claims it’s from you, but the sender is not on this list, the email is flagged as suspicious by email gateways.
• DomainKeys Identified Mail (DKIM) – A digital signature hidden in an email’s header metadata. It should match the “from” information, assuming it hasn’t been tampered with.
• Domain-based Message Authentication, Reporting, & Conformance (DMARC) – Defined by the original sender, this set of rules tells email gateways what to do with an email if it fails security checks (for example, reject, quarantine, or deliver as usual).

Common Signs of SPF, DKIM, and DMARC Issues

The scenarios below are common symptoms of SPF, DKIM, and DMARC-related issues.

• A user receives some types of emails from Esri, My Esri, or ArcGIS Online, but not other types of emails. For example:
  • Receiving “Forgot Username?” emails but not “Forgot Password?”
  • Receiving emails from Technical Support or Customer Service, but not customer number invites from My Esri.
• A user is not receiving emails at all.

How Email Gateways Cause These Issues

Some companies set up multiple email gateways to protect their email users. While the idea of multiple email gateways is great in concept, they can be easy to misconfigure and often cause conflicts when emails are passed sequentially from one email gateway to another. Emails may pass checks at the initial email gateway but fail subsequent checks at later gateways, causing the emails to fail to reach their destination.

The following is an example of how multiple email gateways cause issues in receiving emails:

Observed Behavior

A user is receiving “Forgot Username?” emails but not “Forgot Password?” emails from ArcGIS.com.

Email Security Configuration

The user’s IT department has two email gateways configured that both check SPF senders and DKIM signatures for inbound emails in the following order:

• Proofpoint
• MS Defender

Point of Failure

When email gateways (in this case, Proofpoint) review an email then pass it to another email gateway, they modify the headers of the email.

Because the headers are updated, the next gateway (MS Defender, in this example) sees the email headers as coming from the prior email gateway instead of from Esri. Esri does not give the customer’s gateway permission to send emails as Esri, so the SPF check fails. In addition, because the DKIM signature no longer matches the sender, the DKIM check fails.

Because Esri sets outbound emails’ DMARC policies to instruct email gateways to reject emails that fail checks in order to protect customers, the email is thrown away and never received in the end user’s inbox.

Procedure

Ultimately, email providers and IT representatives are responsible for troubleshooting email gateways to determine whether sequential SPF and DKIM checks are correctly configured. This can be done by:

• Understanding the configuration of all email gateways on the end user’s email system
• Reviewing the passes and failures at each email gateway to determine where the failure point occurs
• Reviewing email headers between each email gateway to determine if and when they have been modified

Note:
It may be necessary to adjust email gateway configurations to quarantine emails, instead of rejecting emails, to allow a review of these emails.

• Working with the end user and Esri to re-send emails as email gateway settings are modified until emails are successfully received in the end user’s inbox

Note:
Some email gateways reset settings (ex. Every 6 months) on a regular basis to protect users. You may need to set a review schedule if your email gateway is one of these.

For any further questions, please log a support case with Esri Support.