Hey everyone! I'm facing a tricky issue with our ERP system, NetSuite, which isn't able to send about 80% of emails to us and our clients. We're in a Microsoft environment, and I think this is affecting our customers too. I've checked our DNS records according to NetSuite's guidelines, and everything seems correct on that end. However, when I analyze the message headers, they indicate a DMARC failure. According to NetSuite, the email passed DMARC, SPF, and DKIM checks, but the DKIM signature isn't valid because it seems like Microsoft's email system is modifying the email content after NetSuite sends it. I've also tested the emails through dmarctester.com, and it reports a DMARC alignment failure. Should I be asking NetSuite to make changes on their side to fix this?
4 Answers
I've had my fair share of trouble with NetSuite and Microsoft 365. Try sending an email through mail-tester.com; it's a great tool for figuring out what's right or wrong with your setup. This can provide clarity before you go to anyone at NetSuite or Microsoft.
If either SPF or DKIM is passing, DMARC should also pass. If you have a rua email set in your DMARC records, you'll be able to keep tabs on compliance. Make sure you've created the right DNS records for DKIM, and ensure that the relevant sources are authorized to send emails from your domain in your SPF records. Each system should have its own specific records!
SPF, DKIM, and DMARC issues can sometimes be a puzzle. From what I gather, here's what's likely happening: 1. SPF is passing but unaligned. 2. DKIM aligns but fails. 3. This combination leads to DMARC failing. It looks like NetSuite may be using a method similar to Mailchimp, which intentionally unaligns the envelope sender to avoid needing to edit SPF records. We should dive into why the DKIM isn't validating, as this is often caused by something changing the email in transit, like a security gateway or email signature.
When Microsoft modifies the email headers, they add ARC headers to track the original verification status. This helps maintain a record of every server that the email passes through, which might explain the alignment issues you're seeing with DMARC.
Thanks for pointing that out! ARC sounds like an important aspect to consider!
In our Microsoft setup, I've noticed a compauth=fail status. It seems that this is linked to the alignment failure between Oracle's servers and ours.