Details
Microsoft is not correctly DKIM-signing some emails when they are returned from an SMTP service. This results in ARC (Authenticated Received Chain) failures, as the email's authentication cannot be validated due to the DKIM failure. The failure occurs because the SMTP service adds its information to the email, breaking the DKIM signature.
When Microsoft receives these returned emails, it should DKIM-sign them again before sending them out to the internet. However, this process does not always happen consistently. We believe the issue is related to the types of files contained in the email. Specifically, when the email includes .msg and/or .eml file types, it can interfere with proper DKIM signing. That's why, in some cases, adjusting the behavior to exclude the .msg and .eml files when replying or forwarding can resolve the issue and prevent the DKIM failure.
While we continue to work with the development team on potential changes we can make to prevent this lack of functionality on Microsoft's end; we are providing an exception to the outbound connector for messages containing a .eml and/or .msg attachment.
Configuration
Verify SPF Includes Microsoft
Ensure the SPF record of the Shield domain includes Microsoft (Figure 1):
v=spf1 include:spf.protection.outlook.com include:spf.shield.security -all
If you do not have control of DNS for the Shield domain you can use any DNS checker to check the record, shown in Figure 2.
Fig. 1
Fig. 2
WARNING: If Microsoft is not in their SPF record, do not continue with these steps until the SPF record has been updated.
Update the Shield Outbound Connector
Go to the M365 tenant and edit the Shield Outbound connector from Only when email messages are sent to these domains (Figure 3) to Only when I have a transport rule set up that directs messages to this connector (Figure 4), then save the changes.
Fig. 3
Fig. 4
Create the Transport Rule
Create a Rule with these values, shown in Figure 5:
- Name: Shield Outbound Exception
- Apply this rule if: "The sender" "is external/internal" "Inside the organization"
- Click the blue plus (+) after you create this rule to add another line for use
- And: "The recipient" "is internal/external" "Outside the organization"
- Do the following: "Redirect the message" "to the following connector" "Shield Outbound Connector"
- Except if: "Any attachment" "file extension includes these words" Add: "msg" "eml"
IMPORTANT: Make sure to Enable the rule after you save it.
Fig. 5
Send a Test Message
Test to ensure this workaround prevents delivery errors. If you need assistance with these steps or have questions, please contact the Partner Success team.
Comments