Send Syncro Notifications and Ticket Lead Notifications that are DMARC Compliant

Currently, Syncro cannot send DMARC policy aligned “Syncro Notifications” and “Ticket Lead Notifications.”

The three ways Syncro sends emails and how they fail DMARC:

1. Broken → Syncro Notifications → The “from” email domain and the “return-path” email domain on the email’s envelope do not match and one is not a sub-domain of the other. These emails fail the syncromsp.com’s dmarc record.

“xxxxxx.xxxx=xxxx.xxx@email.syncroemail.com”;

•   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=syncromsp.com"*
  

The only reason the Syncro Notifications get delivered is because Syncro’s syncromsp.com dmarc policy is p=none which means do nothing if an email fails the DMARC test. This, effectively, renders syncromsp.com’s DMARC policy useless.

2. Working if using your own SMTP server → Customer-Facing Ticket Messages → These pass DKIM, SPF, and DMARC records because they get sent the MSP’s fully configured SMTP service.

3. Broken → Ticket Lead Notifications → These fail DMARC because the “from” email domain and the email envelope “return-path” domain is not “from” the MSP’s domain nor is it a sub-domain.

“xxxxx.xxxx=xxxx.xxx@email.syncroemail.com”;

•   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=syncromsp.com"*
  

In addition, some of the “Ticket Lead Notifications” are sent so that they spoof the MSP’s email domain. This results in a message on Syncro’s side of “550.5.7.26 Unauthenticated email from [MSP’s domain] is not accepted due to domain’s DMARC policy.”

Since Syncro’s outgoing email server for these types of messages, Sendgrid, is unable to comply with sending on behalf of domain that uses DMARC, this means that an MSP currently cannot setup an effective DMARC policy and be able to consistently receive some Syncro email messages.

This, obviously, is a problem as it prevents an MSP from implementing the single most-effective mechanism we have in the email world to prevent spoofing of our email domain. This is not only an inconvenience, it is also a security issue.

Sendgrid, which is Syncro’s email provider for “Syncro Notifications” and “Ticket Lead Notifications” notes the following in this link:

“Simply put, Twilio SendGrid accounts can no longer send messages using a Gmail, AOL, or Yahoo From address to a domain that checks DMARC before accepting mail. Affected users will need to change their from address to a different non-protected email address. We recommend using your own mail domain, or one you control that is legitimate. You can then set the Reply-To field to be the original address that previously was used in the From field.”

There are some ways to work around this:

1. Enable Syncro to use MSP’s own SMTP provider for “Syncro Notifications” and for “Ticket Lead Notifications”
   or
2. Fix the issues with DMARC on syncromsp.com in conjunction with fixing the from and return-path values on “Syncro Notification” and “Ticket Lead Notification” emails so that both values are either in the same domain one is sub-domain with a matching CNAME value as noted in the help articles below:

Syncro – Please fix these email sending issues so that “Syncro Notifications” and “Ticket Lead Notifications” work correctly with domains that utilize DMARC – including your own syncromsp.com domain.

That is quite an excellent summary of what’s going on. Thanks for doing all that work.

This is really helpful as we are also experiencing this issue.

I’m having the same issues. We use SPF, DKIM, & DMARC as well. We’re having regular issues with emails, such as invoices, regularly going to the recipients spam folder and they never see their invoices. This really needs to be fixed.

Would love to have a path to get everything from Syncro 100% aligned also

+1 from my team too!

+1 please address this soon!

+1 Having the same issues, Proofpoint flagged as Fraud

+1 As a team that sells email security, this looks really bad to our clients.

+1 for me to. This is important.

I opened a ticket on this issue years ago. Despite being given a long since past target quarter for a fix to be implemented, the only movement on the request was its closure when Syncro moved to their new ticketing platform. Despite this being a critical security feature, I have given up hope on its implementation.

+1 for me as well. This is the biggest issue I see with the platform and the fix should be so easy.

This is why we push them thru our O365 account. We control it, and we get excellent deliverability. We also have logs for diagnosing.

…This seems like a “I’m sorry, you-what!?” level issue where sorting it out should arguably be treated as a fault, rather than a “feature request”.

It’s somewhat disappointing to see there’s been no comment from Syncro here one way or the other since this was posted last July - Please make addressing this a priority!

How are you doing that?

do you have your domain 100% dmarc compliant? We have outbound smtp from Syncro set up through our O365 as well but we are seeing a small percent of syncro mail being sent though one of the bulk smtp hosts.

Dave,. It is set up in under Admin. There is a separate topic near the bottom for setting up your own SMTP server.

We. Are Not seeing any. Of our email go Out. Other means but our office 365 account.

Hi,
We are trying to implement DMARC also, how do we up vote this feature request ?
Actually if Syncro were to send ALL emails through Exchange Online that would solve the problem. They also need to be able to use MFA or the secure application model to make this secure.

Donal

SPOT on breakdown.
THIS is how you write an FER (Feature Enhancement Request) folks.

Just sayin’.

Joomlajay/IT Guru

wow 1000% This…I can’t believe this isn’t fixed after being on Synro for 2 years. I’m using O365 email and my customer facing emails go out fine but there are so many Syncro messages that are supposed to come from syncro mail apparently and not O365 and then some of those come from no-repy while others trying to spoof my support address even though I’m using the hosted O365. I’m 100% DMARC compliant and block everything and THIS is the issue. These are not compliant messages!! Such an easy fix.