I'm trying to set up a domain that will only send broadcast messages to employees and a select group of business partners, with no need for replies. This means the domain won't have mailboxes for incoming messages. We want to ensure that any email from this domain is treated as unauthorized spam by everyone else on the internet. To achieve this, I plan to use the following DNS records: MX 0, v=spf1 -all, v=DMARC1; p=reject. My question is how to ensure delivery of these messages to the right partners. I believe these partners can set up rules on their side to accept messages only from this domain when the sender IP matches our servers. If they're using Office 365, they can create a mail flow rule saying if the sender domain matches ours and the sender IP is correct, they can bypass spam filtering. Alternatively, there's an option to create a receive connector for partner organizations in Office 365, but I'm not sure what advantages that offers. If messages come through an inbound connector, does that mean they automatically bypass spam filtering? When is it better to use mail flow rules versus partner organization connectors?
5 Answers
Honestly, the requirements seem a bit confusing. Here’s a thought: first, make sure your MX, SPF, DMARC, and DKIM records are set up correctly so only designated mail servers can send emails from that domain. This way, you control who receives emails using that domain without needing to stress about others accidentally getting them. Plus, unless you really want to go through Microsoft 365, setting this up on a simple Linux server could be both cheaper and easier. Just remember to make it clear to your clients that they should set up their own filtering rules for this specific scenario though!
Why not consider using alternative email services like Mailgun or Amazon SES instead of M365? This could simplify the process, helping you to avoid issues with blocked emails. Just make sure to set up DKIM if you decide to stick with M365; that’ll help with deliverability!
We specifically want to block everyone but the intended recipients. Those select domains will manage their own settings to receive our messages correctly.
This really is an example of getting caught in an X/Y problem. You seem more focused on working around this approach rather than finding the most effective solution to your actual needs. It’s important to take a step back and ensure you’re addressing the real issue rather than just dealing with the complications that have cropped up.
I’m curious about why you feel the need to have emails treated as spam for everyone else. It sounds like your initial setup only had internal users, and now you have a blend of internal and partner users. The organization might feel they shouldn’t even publish DNS records since it’s for internal use. But wouldn’t email gateways naturally reject messages from a domain without DNS records related to sending or receiving? It seems like that might already solve your issue without all the extra fuss.
Even with those records, the idea is to prevent anyone outside of the specific partners from getting emails. They need the records to ensure their own systems can handle the messages while blocking anyone outside.
I see you’re really trying to navigate this requirement, but it feels like you’re missing a broader perspective. It might be worth it to reevaluate your solution to meet the business needs more simply and effectively instead of getting bogged down in the current setup. Take a step back and consider the recommendations here—they’re coming from a good place.
You’ve missed the point! The idea is to ensure that nobody else receives emails from this domain except a specific list of partners. The DNS settings you mentioned will tell everyone else to reject emails from the domain, while the intended domains will set their rules to accept them internally.