Adobe doesn't seem to be following it's own DMARC policy leading to rejected emails

Report · Oct 05, 2023

I'm uncertain how to get a message through to Adobe IT department, so I am trying here.

Below you can see message@adobe.com using email services from Amazon - example a27-171.smtp-out.us-west-2.amazonses.com

The Adobe DMARC policy says to reject emails where the domains do not match the sending address domain.

Using this Amazon domain seems to viloate Adobe's own policy, and results in the email being rejected with a 550 error.

[2023.10.03] 17:38:54 [54.240.27.171][63090815] Performing PTR host name lookup for 54.240.27.171
[2023.10.03] 17:38:54 [54.240.27.171][63090815] PTR host name for 54.240.27.171 resolved as a27-171.smtp-out.us-west-2.amazonses.com
[2023.10.03] 17:38:54 [54.240.27.171][63090815] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2023.10.03] 17:38:55 [54.240.27.171][63090815] rsp: 550 Message rejected due to senders DMARC policy
[2023.10.03] 17:38:55 [54.240.27.171][63090815] A trace of the DMARC processing follows.
[2023.10.03] 17:38:55 [54.240.27.171][63090815] Beginning DMARC check for 0101018af6680d20-1f485dcc-cab8-47f0-8d0d-c2902ba3d8d1-000000@us-west-2.amazonses.com from IP 54.240.27.171...
[2023.10.03] 17:38:55 [54.240.27.171][63090815] The from field for the message is "Adobe <message@adobe.com>". Will look for DMARC policy record at _dmarc.adobe.com
[2023.10.03] 17:38:55 [54.240.27.171][63090815] Retrieved the following DMARC policy record for "adobe.com": v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto:adobe@rua.agari.com; ruf=mailto:adobe@ruf.agari.com; fo=1
[2023.10.03] 17:38:55 [54.240.27.171][63090815] DMARC: Bad DKIM signature.
[2023.10.03] 17:38:55 [54.240.27.171][63090815] DMARC policy violated due to SPF domain ("us-west-2.amazonses.com") not belonging to the same parent domain as the from address field domain ("adobe.com").

Report · Oct 05, 2023

this is regarding what?

Report · Oct 05, 2023

This applies to at least some of Abode's emails that they send out from message@ - so for example email verification emails

The email is routed via an Amazon SMTP server

But Adobe's DMARC settings tell other mail servers only to trust the Abode emails if they come from an Abode domain name, and if they do not to reject them.

When that happens mail servers that are correctly set up will reject the email.

Abode will then get a reply showing a 550 error.

The recipient will get no email.

In this case the cause is due to how Abode is sending out these emails which vilolates their own rules.

I'm attempting to highlight this to whoever might work in their IT department.

Report · Oct 05, 2023

leaving it here is probably the best you can do per

to report bugs or ideas or wishes to adobe:

for applicable apps, use https://helpx.adobe.com/ie/x-productkb/global/how-to-user-voice.html

for others, use https://www.adobe.com/products/wishform.html

if neither show a place to report the issue, just leave it here. that's the best you can do.

Report · Oct 05, 2023

Thanks, appreciated.

Report · Oct 05, 2023

you're welcome (and thank you).

Report · Oct 05, 2023

I really wouldn't know who at Adobe to contact on this. Maybe one of the Adobe employees can relay the message?

ABAMBO | Hard- and Software Engineer | Photographer

Report · Oct 10, 2023

Emails from Adobe have also recently been rejected by Microsoft because DMARC DNS entries are followed. So the behavior is similar. The cause is described in the following Microsoft article https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dmarc-policy-handling-defau.... A support colleague from Adobe said I should post this here.

Report · Oct 10, 2023

Thanks, lending extra weight to the issue - there must be a lot of automated emails being rejected I'd imagine.

Ideally the support colleague from Adobe should alert their IT department to correct this (ideally by not sending email via another domain, or by setting the policy to "none"). Are they able to do so, or perhaps it is already in hand?

Report · Jan 10, 2024

For people with Exchange Online with the standard security policies applied, the adobe emails with sign in codes will be rejected, and they won't be able to sign into the Adobe portal.

To override this in Exchange Online, they go to

Microsoft Defender at -

https://security.microsoft.com/

Policies & rules > Threat policies > Tenant Allow/Block List > Spoofed senders

Add an allow record for

adobe.com,amazonses.com

Report · Jan 10, 2024

Thanks for these information.

ABAMBO | Hard- and Software Engineer | Photographer

Report · Jan 11, 2024

If you allow a spoof bypass for amazonses.com then any amazon instance may be allowed to send spoofed email to your system.

https://www.linkedin.com/pulse/new-pandemic-phishing-alert-amazonsescom-lloyd-kithinji/

The only real solution is for Amazon to properly implenet its domain authentication for all of its platfroms

Report · Feb 02, 2024

This appears to have been going on since at least September/October 2023. It is ni February 2024 and this issue still exists.

Adobe need to sort this out immedialty - all emails for new users, password resets, etc. blocked

ADOBE FIX YOUR DMARC or ROUTE YOUR EMAILS TO FOLLOW YOUR OWN DMARC RULES

It is unbelievable that this has not already been addressed by you

Report · Feb 02, 2024

@Simon25440529aumx

these are user forums, not a way to communicate with adobe engineers.

to report bugs or ideas or wishes to adobe: for applicable apps, use https://helpx.adobe.com/ie/x-productkb/global/how-to-user-voice.html

for createive cloud assets:

bugs, https://community.adobe.com/t5/adobe-collaboration-experiences/ct-p/ct-adobe-collaboration-experienc...

requests, https://community.adobe.com/t5/adobe-collaboration-experiences/ct-p/ct-adobe-collaboration-experienc...

for others, use https://www.adobe.com/products/wishform.html

if neither show a place to report the issue, just leave it here. that's the best you can do.