Send Syncro Notifications and Ticket Lead Notifications that are DMARC Compliant

Currently, Syncro cannot send DMARC policy aligned “Syncro Notifications” and “Ticket Lead Notifications.”

The three ways Syncro sends emails and how they fail DMARC:

  1. Broken → Syncro Notifications → The “from” email domain and the “return-path” email domain on the email’s envelope do not match and one is not a sub-domain of the other. These emails fail the syncromsp.com’s dmarc record.

xxxxxx.xxxx=xxxx.xxx@email.syncroemail.com”;

  •   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=syncromsp.com"*
    

The only reason the Syncro Notifications get delivered is because Syncro’s syncromsp.com dmarc policy is p=none which means do nothing if an email fails the DMARC test. This, effectively, renders syncromsp.com’s DMARC policy useless.

  1. Working if using your own SMTP server → Customer-Facing Ticket Messages → These pass DKIM, SPF, and DMARC records because they get sent the MSP’s fully configured SMTP service.

  2. Broken → Ticket Lead Notifications → These fail DMARC because the “from” email domain and the email envelope “return-path” domain is not “from” the MSP’s domain nor is it a sub-domain.

xxxxx.xxxx=xxxx.xxx@email.syncroemail.com”;

  •   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=syncromsp.com"*
    

In addition, some of the “Ticket Lead Notifications” are sent so that they spoof the MSP’s email domain. This results in a message on Syncro’s side of “550.5.7.26 Unauthenticated email from [MSP’s domain] is not accepted due to domain’s DMARC policy.”

Since Syncro’s outgoing email server for these types of messages, Sendgrid, is unable to comply with sending on behalf of domain that uses DMARC, this means that an MSP currently cannot setup an effective DMARC policy and be able to consistently receive some Syncro email messages.

This, obviously, is a problem as it prevents an MSP from implementing the single most-effective mechanism we have in the email world to prevent spoofing of our email domain. This is not only an inconvenience, it is also a security issue.

Sendgrid, which is Syncro’s email provider for “Syncro Notifications” and “Ticket Lead Notifications” notes the following in this link:

“Simply put, Twilio SendGrid accounts can no longer send messages using a Gmail, AOL, or Yahoo From address to a domain that checks DMARC before accepting mail. Affected users will need to change their from address to a different non-protected email address. We recommend using your own mail domain, or one you control that is legitimate. You can then set the Reply-To field to be the original address that previously was used in the From field.”

There are some ways to work around this:

  1. Enable Syncro to use MSP’s own SMTP provider for “Syncro Notifications” and for “Ticket Lead Notifications”
    or
  2. Fix the issues with DMARC on syncromsp.com in conjunction with fixing the from and return-path values on “Syncro Notification” and “Ticket Lead Notification” emails so that both values are either in the same domain one is sub-domain with a matching CNAME value as noted in the help articles below:

Syncro – Please fix these email sending issues so that “Syncro Notifications” and “Ticket Lead Notifications” work correctly with domains that utilize DMARC – including your own syncromsp.com domain.

7 Likes

That is quite an excellent summary of what’s going on. Thanks for doing all that work.