Why is Avanan showing up in my DMARC reports and how do I fix it?

Key findings

• Avanan identification: Avanan, now Checkpoint, is an email security solution that can appear as a sending source in DMARC reports, particularly if their IPs are included in your SPF record, like spfa.cpmails.com.
• Accidental SPF inclusion: Clients may mistakenly add Avanan's sending IPs or includes to their SPF record if they see it in DMARC reports, assuming it needs authorization.
• Shadow IT: Avanan's presence might stem from an unapproved service or an Outlook plugin that relays emails through Microsoft 365, rather than a direct transport rule or connector.
• Outbound email processing: Even with correct SPF and DKIM alignment, if Avanan processes outbound emails, it will show up in your DMARC reports.
• DMARC passing mechanism: DMARC only requires either SPF or DKIM to pass alignment for a message to be compliant. A dashboard might show 100% compliance even if only one mechanism is fully aligned.

Key considerations

• Verify Avanan usage: Consult with finance and IT departments to confirm whether Avanan (Checkpoint) is a purchased or active service. It might be an overlooked or forgotten subscription.
• Review SPF records: Carefully examine your domain's flattened SPF record for any unexpected entries related to Avanan or Checkpoint. Redundant or accidental inclusions can cause confusion in DMARC reports. For more details, see our guide on DMARC, SPF, and DKIM.
• Understand email flow: Investigate how emails are routed, especially outbound messages. An Outlook plugin or other user-initiated software could be relaying emails through M365 without explicit IT configuration, affecting your email deliverability.
• Analyze DMARC reports: Dive into the raw DMARC reports to understand the full authentication picture, rather than relying solely on summarized dashboards. This can help identify if Avanan is merely a receiver processing inbound mail, or an actual sender for your domain.
• Review security solutions: If Avanan is actively used, ensure its configuration aligns with your DMARC policies to prevent legitimate emails from being blocked. Stellastra notes that Avanan emails can be blocked if they fail DMARC. Further information is available on how to stop Avanan emails going to junk.

Key opinions

• Unforeseen email routing: Many marketers are surprised to find a security vendor like Avanan appearing in their DMARC reports, especially when they have no direct knowledge of using such a service for outbound mail. This indicates a potential blind spot in understanding email flow.
• Configuration puzzle: The challenge lies in identifying exactly which application or configuration in Microsoft 365 (or similar environments) might be responsible for routing emails through Avanan, particularly when standard transport rules or connectors are not evident.
• Plugin involvement: A common suggestion is that a user-initiated plugin, such as an Outlook add-in, could be relaying emails, which then get processed by Avanan's security features. This bypasses typical IT-managed configurations.
• SPF record verification: Marketers are advised to check their flattened SPF records meticulously, as an accidental inclusion of Avanan's IPs (like spfa.cpmails.com) can lead to unexpected DMARC passes for that source.
• DMARC report interpretation: A DMARC dashboard showing 100% compliance can be misleading if only one authentication mechanism (SPF or DKIM) is passing. Deep-diving into raw reports is crucial for a complete picture of why Avanan is appearing.

Key considerations

• Collaborate with internal teams: Engage with internal IT and finance departments. Uncover if Avanan or Checkpoint is a hidden or forgotten service, potentially purchased without central IT's full awareness (shadow IT).
• Scrutinize email traces: Match DMARC report volumes from Avanan with email trace exports to identify specific outbound emails causing the reports. This can help pinpoint the exact sending source or user responsible. Our resource on diagnosing DMARC failures provides more context.
• Evaluate SPF strategy: If Avanan is not an intended sender, ensure its IPs are removed from your SPF record. If it is an intended sender, confirm the correct configuration to maintain DMARC alignment, preventing issues like DMARC authentication failures.
• Consider inbound vs. outbound: Determine if Avanan is processing inbound emails (as a receiver) or outbound emails (as a sender). The DMARC report will indicate the sending IP. If it's an outbound IP and aligns, it's acting as a sender for you.
• Address potential spoofing: Ensure that your DMARC policy is robust enough to handle any potential spoofing attempts if unauthorized Avanan entries persist. Dan Clowry's Blog discusses the importance of SPF and DMARC for quarantine subdomains to prevent spoofing, which relates to Avanan's role in security filtering. Read more on using Checkpoint Avanan and Microsoft 365 Quarantine.

Key opinions

• Complexity of DMARC interpretation: Experts highlight that DMARC dashboards can be simplistic, showing 100% pass even if only one mechanism (SPF or DKIM) aligns. This necessitates examining raw DMARC data for a comprehensive understanding.
• SPF alignment mechanics: For SPF to align, the MAILFROM domain's SPF record must explicitly include the sending IPs. If Avanan IPs are in your SPF record, it implies control or a deliberate (even if accidental) inclusion.
• Role of plugins and shadow IT: An Outlook plugin that relays through Microsoft 365 could be the source of unexpected Avanan entries, bypassing traditional IT configurations. This falls under the realm of 'shadow IT' and requires investigation beyond standard mail flow rules.
• Identifying re-routing: It's crucial to determine if messages are being re-routed, either inbound or outbound. If outbound messages are not re-routed by Microsoft, and an Outlook plugin is used, the sending IP should logically belong to Microsoft.
• Consequences of misconfiguration: Improper DMARC configuration or accidental SPF inclusions can lead to legitimate emails failing authentication, impacting deliverability and potentially causing emails to land in spam folders or be blocked entirely. This reinforces the need to troubleshoot DMARC failures effectively.

Key considerations

• Verify payment records: Beyond internal IT, check finance records for any invoices related to Avanan or Checkpoint, as a third-party reseller might be the invoice originator.
• Detailed raw data analysis: Request and analyze unredacted raw DMARC reports. This granular data often contains the specific authentication results, sending IPs, and domains that can help connect the dots and pinpoint the true source. For guidance, see understanding and troubleshooting DMARC reports.
• Distinguish inbound vs. outbound filtering: Clarify if Avanan is primarily an inbound email security gateway (processing emails *to* your domain) or if it's also configured to process outbound emails *from* your domain. Its presence in DMARC reports typically indicates it's handling outbound traffic.
• Review email relay paths: If Avanan's IP is in your SPF and your DKIM is still original, it strongly suggests a relay scenario where Avanan is acting as an intermediary without modifying the email's content or signing headers.
• Address DMARC policy: If Avanan is an unauthorized sender, remove its SPF entries and configure your DMARC policy to quarantine or reject. If it's an authorized sender, ensure correct SPF and DKIM configuration for alignment to avoid DMARC failures.

Key findings

• DMARC management by Avanan: Avanan itself offers DMARC management features to help organizations ensure legitimate senders are allowed, enabling a confident transition to stricter DMARC policies.
• Integration with Microsoft 365: Avanan integrates with Microsoft 365, allowing it to analyze all emails and potentially process outbound messages, which would then be reflected in DMARC reports.
• Quarantine subdomain configuration: For email security solutions handling quarantined emails, proper SPF and DMARC records are crucial for their specific subdomains to prevent spoofing.
• DMARC report utility: DMARC reports are a primary mechanism for identifying and fixing DMARC issues, including delivery and alignment problems, which is essential for maintaining email deliverability. For more on this, check our guide to email deliverability issues.

Key considerations

• Proper DMARC policy: Documentation often recommends setting DMARC policies to 'quarantine' or 'reject' to appropriately handle suspicious emails, but this should only be done after ensuring all legitimate sending sources are DMARC compliant.
• Regular DMARC report review: It is critical to regularly review DMARC reports to identify and address any issues, including those related to third-party security solutions like Avanan. Our article on DMARC failure reports offers more insight.
• Align security with DMARC: Ensure that your email security solutions are configured in a way that supports DMARC authentication and alignment, rather than causing failures or unexpected entries.
• Whitelisting: If Avanan is an approved service, its sending IPs or included domains should be properly authorized within your SPF record to maintain authentication success.