DMARC Workaround for @yahoo & @aol sending to DL with external recipients


Back in April Yahoo changed their DMARC policy to reject, AOL followed suit a few weeks later. This effectively broke, causing NDRs for many external recipients, mailing list\DLs that contained external recipients and that also allowed external recipients, from @aol or @yahoo, to send email to it.  When a user at one of these domains sends an e-mail to the DL any external recipient on many different email providers (yahoo, aol, gmail, msn, hotmail, comcast, and more) would not receive the message and an NDR would be generated for these recipients. For more details on the issue see: blog.jasonsherry.net/2014/04/10/dmarc-broke-your-mailing-lists/

After trying several other things I’ve come up with the partial workaround below. The easiest work around is to enable moderation on the DL and then when an aol or yahoo.com users sends e-mail to the DL you manually resend it for them, from your mailbox or DL if permissions are setup to allow this. But in this case the email will come from your mailbox or group, requires manual intervention, and delays mail until someone approves or re-sends the e-mail send to the DL.

One comment, on the original post, suggested changing the mailing address to goto a mailbox then setup an mailbox rule to Forward all messages to the DL. While this does work, it also introduces the issue that the all messages comes from this ‘relay’ mailbox. So when users reply it goes to the mailbox, which then sends out the email to the DL. Therefore, user generated spam starts to occur when a thread gets a lot of traffic. Everyone that replies, using Reply or Reply All, generates an email to all recipients.

So the workaround below partially solves this issue, but only for e-mail sent from non-yahoo or aol users.

  1. Create a new mailbox that will Forward\Relay all messages to the DL
    • Name the mailbox so it looks similar to the DL name, like “External DL Users Relay”
    • This will get around the DMARC issue where it looks like Exchange is spoofing the sending domain of yahoo.com or aol.com, which causes the receiveing servers to reject the message.
    • You will probably want to set a short term retention policy on this mailbox, since all messages sent to it will be kept in the Inbox, in addition to being forwarded.
  2. Login to the mailbox, via OWA, and setup an Inbox Rule that forwards ALL messages to the DL that contains the users who should receive the message
    • By default the Forwarding action rule does not show up in OWA 2010/2013,  you have to click More Options… to show it.
  3. Create a transport rule to selectively redirect messages to the “relay” mailbox created in step 1
    1. Conditions
      1.  [when the message header contains specific rules]
        1. Message Header: Received
        2. Words: “aol.com” & “yahoo.com”
          • This should be two entries, without quotes, in the list
      2. [when the message header matches text patterns]
        1. Message Header: To
        2. Text patterns: <SMTP address of DL>
          • Enter the SMTP of the existing DL that you are trying to fix this issue for
    2. Actions
      1. [redirect the message to addresses] : <Select the mailbox created in step #1>
      2. Optional: [prepend message subject with string] : “RELAYED: ”
        • This is to help the uses realize the message has been relayed to work around the NDR issue.
      3. Optional: [append disclaimer text and fallback to action if unable to apply.]
        • What you put here is up to you, but I changed it to ‘prepend’, so this warning goes at the top of the message, and used this:
          ____________________________________________________
          This message was forwarded from a @yahoo.com or @aol.com sender. If you reply, the reply will go to all members. Please change the TO on your reply to the person’s who sent the original e-mail, if you want to reply just to them.
          ____________________________________________________
          DMARC Rule

Results
Once this setup, when any non-yahoo or aol users sends an email to the DL the message will goto all users as it normally would. When a yahoo or aol users sends an email the DL the Transport rule will redirect the message to the “Relay” mailbox. The Inbox Rule on this mailbox will then fire and forward the message to the DL.

But in the case of  yahoo or aol senders the users in the DL will receive the message from the Relay mailbox. So a Reply or Reply all will not goto the original sender directly but to everyone, via the “Relay” mailbox. Users will have a Mailtip that says “This message was AutoForwarded”, in addition to the prepended message, if you added one.

Example message received from a Yahoo.com users:

Relayed Message

But if a user replies to this message it will still goto all users in the DL, via the “Relay” mailbox. So these steps below just limit the amount of “Reply to All” behavior.

About jasonsherry

I am a 20 year Exchange consultant and expert. I currently work for Commvault as a Solutions Specialist for Microsoft Infrastructure For more info see my resume at: http://jasonsherry.org
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to DMARC Workaround for @yahoo & @aol sending to DL with external recipients

  1. Ryan M. says:

    Jason –

    Have you had an opportunity to test if the ‘fix’ for broken DKIM signatures included in Exchange 2013 CU6 helps this issue at all?

    2993556 Sender’s DKIM signature is broken in an Exchange Server 2013 environment
    http://support.microsoft.com/kb/2993556

    Like

  2. John Smith says:

    Hi,

    Would this autoforward rule work (Step 2) if Exchange server is setup to not allow forwarding to external recipients ? Most companies would have autoforwarding blocked and so forwarding rules created in Outlook would not work.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s