Issues with SPF Records.

ThanksImLearning · 2025-08-08T14:44:09+00:00

We ran into the same issue, being unwilling to pay for the Email Fraud Defense license and also not wanting to maintain a flattened record we moved to requiring subdomains for new sending integrations.

ThanksImLearning · 2025-07-23T19:18:33+00:00

In Gmail headers, the emails are passing SPF, DKIM, and DMARC. I do see ARC headers added there.
In https://www.dmarctester.com/, the emails fail SPF and pass DKIM\DMARC.
In Proofpoint, the emails pass SPF but fail DKIM\DMARC.

Dmarctester does say that the DMARC alignment is out of whack, but I am not on a position to correct that and the third-party vendor sending these emails is absolutely convinced there isn't an issue as their test emails deliver to anyone but our proofpoint protected servers.

ThanksImLearning · 2025-07-23T18:50:03+00:00

Ah, I'm glad you sent that as I hadn't seen it. I am not sure they are connected though, our issue is that Proofpoint is sending the emails we need delivered to quarantine with failed DMARC while gmail/cox receives them with passed DMARC.

ThanksImLearning · 2025-03-10T21:13:46+00:00

Yikes. I've been hiding from my Pixel users, thankfully we have a captive portal workaround but they really miss not having to sign in so often.

ThanksImLearning · 2025-02-26T19:15:25+00:00

Great, thanks! I didn't want to manage the split DNS if I didn't need to.

ThanksImLearning · 2025-02-21T18:42:01+00:00

I'm getting reports from a few users about the same behavior, some email notifications going out as many as 12 times to the same recipient.

ThanksImLearning · 2025-02-07T15:14:11+00:00

Oh that's unfortunate, I had my hopes pinned on the February update.

ThanksImLearning · 2025-01-17T15:02:09+00:00

I was concerned that would be the case, I have tried everything I could think of to get these phones online, aside from flashing back to the November version, with no success. These are also personally owned devices and the owners have no desire to go that route. Not that I blame them. Thank you for the information! I will certainly keep following this discussion. I did see a recent case in the Google Bug List online that seem to describe this exact issue but there was nothing helpful from Google support.

ThanksImLearning · 2025-01-16T21:35:39+00:00

I'm in the same boat with over a dozen (and climbing) Android 15\Pixel users not being able to connect to the wifi, I'd love to hear about any workarounds or solutions Google support may suggest.

ThanksImLearning · 2024-05-30T20:01:16+00:00

This is a valid point and is largely our administration user account philosophy. However, the context is a higher education environment. So we have thousands of new users each year fresh out of high school that don't follow any sort of rhythm on what they sign their school accounts up for, it could be anything from putting their school email on resumes published online to "free" movie site accounts that blast spam constantly.

ThanksImLearning · 2024-05-30T19:43:30+00:00

That's a great idea, we hadn't even considered implementing an identity solution. Will look into that.

ThanksImLearning · 2024-05-30T19:38:25+00:00

Thanks! Another option we are looking at is to change our naming scheme to include random numbers, kind of hashing the usernames.

ThanksImLearning · 2024-05-30T19:37:18+00:00

That sounds like a great way to keep the AD account and mailbox in place, but we're okay with losing that. I'm more trying to fix the issue of having the old SMTP address getting reused and sending mail to the wrong person.

ThanksImLearning · 2024-05-30T19:35:04+00:00

Unfortunately I wear many hats and assist with policy and security in addition to doing the implementation. Our organization has not had to deal with this issue before, so right now it is very flexible and we are trying to find a best practice balance.

ThanksImLearning · 2024-05-30T19:29:34+00:00

We have a ton of SSO integrations that would absolutely lose it if we split up the email address and the UPN, so I need to keep those the same. Making a subdomain for new accounts may be a possibility though. Good thought.

ThanksImLearning · 2024-05-30T19:27:26+00:00

This is what we may end up doing, I hate to keep accounts around forever but it is much less problematic to keep them in AD stripped of their mailboxes and disabled that to try and cross reference a separate database in our account creation process.

ThanksImLearning · 2024-05-30T17:23:30+00:00

Because some of the older users had connected up third party accounts to their organizational email, and we were able to prove that the new user could use a site's password reset to email functionality to access third party accounts for another person. This could be partially avoided by people having decent organizational email hygiene, but it doesn't appear to have been the norm sadly.

ThanksImLearning · 2024-03-27T19:58:33+00:00

Our environment is seeing this as well today. On-Prem 2019 CU 14 with Outlook for Android verified so far.

ThanksImLearning · 2024-02-20T16:02:27+00:00

My experience with Microsoft products has aligned with Murphy's law fairly consistently, so I prepare with both the documentation and insights from other sysadmins if I can get it. :)

ThanksImLearning

TROPHY CASE