Why is Avanan showing up in my DMARC reports if I don't use it?

Avanan, now part of Check Point Harmony Email & Collaboration, can appear in your DMARC reports for several reasons. The most common cause is that an SPF include statement for Avanan (e.g., spfa.cpmails.com ) might be present in your domain's SPF record. This could be due to a past or accidental configuration, even if you are not currently using Avanan as a direct sending service. Other reasons include recipient mail servers using Avanan, or shadow IT deployments like Outlook plugins routing emails through it.

My DMARC reports show Avanan, but emails are still passing. Why?

Even if Avanan is present in your DMARC reports, your emails can still pass DMARC if either SPF or DKIM aligns with your domain. If Avanan's IPs are in your SPF record, or if your emails carry a valid, aligned DKIM signature from your domain, DMARC will pass. This doesn't necessarily mean Avanan is sending on your behalf, but rather that its IP was part of the authentication chain, and DMARC's requirements were met. Check this resource on DMARC and DKIM .

How can I fix Avanan showing up in my DMARC reports?

Start by checking your domain's SPF record for any includes related to Avanan or Check Point, such as spfa.cpmails.com . If you are not actively sending emails through Avanan, remove these entries from your SPF record. Additionally, investigate your mail flow rules, connectors, and any third-party plugins in your email environment (e.g., Microsoft 365) that might be routing emails through external services. Lastly, confirm with your finance department if any Avanan/Check Point services are being paid for, as this could indicate an unapproved or forgotten deployment.

Does Avanan in my DMARC reports mean my emails are going to junk or being blocklisted?

No, if Avanan is appearing in your DMARC reports, it doesn't automatically mean your emails are being blocklisted or sent to junk. If your DMARC authentication is passing (due to either SPF or DKIM alignment), your emails should still reach the inbox. However, unexpected entries indicate a misconfiguration or an unknown sending source, which can lead to deliverability issues or even cause emails to go to the spam folder if not addressed properly. You can learn more about how to stop Avanan emails going to junk .

Could Avanan appear in DMARC reports if the recipient uses it?

While you might not be directly using Avanan, a recipient's mail server could be using it as their inbound email security solution. When your email reaches their server, it passes through Avanan for scanning, and this process might be reflected in the DMARC reports you receive. This is not an indication that you are sending via Avanan, but rather that a mail server on the receiving end uses Check Point Harmony Email & Collaboration. This is common when dealing with large enterprises that have extensive security infrastructure, as indicated in Check Point's documentation .

Why is Avanan showing up in my DMARC reports and how do I fix it? - Troubleshooting - Email deliverability - Knowledge base

Discovering an unexpected entry like Avanan (now Check Point Harmony Email & Collaboration) in your DMARC reports can be puzzling, especially when your internal IT team has no record of its use. Many organizations encounter this issue, and it often points to a nuanced aspect of email flow or DNS configuration rather than a straightforward, intentional deployment.

The core of the problem usually lies in understanding how DMARC authenticates emails and how certain email security solutions interact with this process. While DMARC is designed to help prevent email spoofing, unexpected entries can obscure legitimate sending sources or highlight misconfigurations that need attention.

This guide will help you navigate why Avanan might appear in your reports, even when it seems like an unauthorized or unknown sender. We will explore common scenarios and provide actionable steps to identify and resolve the underlying causes, ensuring your DMARC compliance remains accurate and effective.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

Understanding Avanan in your email flow

Avanan, as part of Check Point Harmony Email & Collaboration, is an inline email security platform. This means it intercepts emails before they reach the recipient's inbox, scanning them for threats. When an email passes through such a system, the system's IP address might appear in the email's SPF authentication path.

A common reason for Avanan to appear in your DMARC reports is if its sending IP addresses are included in your domain's SPF record. This might happen if your IT administrator previously (or mistakenly) added an SPF mechanism for Avanan or Check Point. For example, you might see an entry like include:spfa.cpmails.com within your SPF record.

Example SPF record including AvananTXT

v=spf1 include:spf.protection.outlook.com include:spfa.cpmails.com ~all

Even if your organization isn't actively paying for or using Avanan, its presence in your SPF record, combined with valid DKIM authentication that aligns with your domain, can lead to DMARC passing results. This is because DMARC only requires either SPF or DKIM to pass alignment for an email to be considered legitimate. If you need a refresher, consider reading a simple guide to DMARC, SPF, and DKIM.

Diagnosing unexpected Avanan DMARC entries

The first step in resolving this mystery is to dive into your DMARC reports. Look for specific entries showing Avanan as the authenticating source or the IP address. You can also trace the IP back to its owner. In some cases, the IP address 35.174.145.124 has been identified as a Check Point IP associated with Avanan.

Next, examine your domain's SPF record. Use a DNS lookup tool to flatten your SPF record to see all included mechanisms and their associated IP addresses. Confirm if spfa.cpmails.com or any other Avanan/Check Point-related domains are present. If they are, this is a strong indicator of the source of the DMARC report entries.

Troubleshooting unexpected DMARC entries

Analyze raw DMARC reports: Look for the source IP, SPF domain, and DKIM domain associated with Avanan. This helps in understanding how to diagnose DMARC failures using DMARC reports.
Consult financial records: Check with your accounts or finance department to see if any payments have been made to Check Point or Avanan, even if IT is unaware. This can uncover shadow IT deployments.
Review email flow rules: Investigate your email platform's (e.g., Microsoft 365) transport rules, connectors, or enterprise applications for any configurations that might route email through an external security gateway like Avanan.

Common scenarios and solutions

After diagnosis, you'll likely fall into one of a few common scenarios. Understanding these helps in applying the correct fix. Many DMARC failures, or unexpected passes, stem from how SPF and DKIM are configured and interact with third-party services.

A common scenario is that a previous IT administrator or even a well-intentioned user accidentally added spfa.cpmails.com to your SPF record without realizing its implications or that the service was not actually in use for sending your domain's emails. The DMARC reports show pass because your domain's SPF record legitimizes Avanan's IP for your domain.

Another possibility is that Avanan is used by a recipient's mail server. If an email you send passes through a recipient's Avanan instance, it might still show up in your DMARC reports, particularly if Avanan performs some level of authentication or reporting on inbound emails. This doesn't mean you are sending through Avanan, but rather that a mail server on the receiving end uses it.

Finally, there could be a case of a user-initiated plugin or an unapproved encrypted mail offering that is relaying emails through Microsoft 365, which then passes through Avanan for scanning before being delivered. Even if the plugin sends through Microsoft 365's infrastructure, an Avanan integration could cause its presence in the authentication chain, or its encrypted mail offering could be responsible, as discussed on Avanan DMARC management support page.

Issue

Unexpected Avanan entries: Seeing Avanan IPs or domains in DMARC reports despite no known direct service usage.
SPF record misconfiguration: Accidental inclusion of Avanan SPF mechanisms that allow their IPs to pass SPF for your domain.

Solution

Remove unnecessary SPF entries: If Avanan is not a sender, remove include:spfa.cpmails.com or similar entries from your SPF record. You can refer to why your emails fail at Microsoft for related issues.
Audit email flow and plugins: Check for any installed Outlook plugins, connectors, or email routing rules that might be inadvertently sending mail through Avanan. Also, verify with all departments about any new software purchases.

Ensuring proper DMARC alignment

Resolving unexpected Avanan entries is primarily about ensuring your DMARC, SPF, and DKIM configurations accurately reflect your legitimate email sending practices. A low DMARC success rate can lead to issues with spam rates and even domain blocklisting, whether it's a blacklist or blocklist.

Regularly review your DNS records, particularly your SPF and DKIM entries. Make sure they only include authorized sending sources. If an SPF record contains an include statement for a service you don't use for sending, remove it. This prevents unintended parties from passing SPF authentication for your domain.

Authentication type	Description	Impact on DMARC
SPF pass & alignment	The sending IP is authorized by your SPF record, and the return-path domain matches the DMARC From: header domain.	DMARC passes. Email is delivered based on policy (p=none, p=quarantine, p=reject).
DKIM pass & alignment	The email has a valid DKIM signature, and the signing domain matches the DMARC From: header domain.	DMARC passes. Email is delivered based on policy (p=none, p=quarantine, p=reject).
Avanan appearance without direct use	Avanan's IP or domain appears in DMARC reports, potentially due to SPF inclusion or recipient-side scanning.	If SPF/DKIM align (even if unintended), DMARC may pass, but it signals a need for investigation.

Summary

Dealing with unexpected entries in your DMARC reports, like those from Avanan, requires a methodical approach. By diligently analyzing your DMARC data, scrutinizing your DNS records for unintended SPF inclusions, and auditing your internal email configurations, you can pinpoint the source of these anomalies.

Rectifying these issues ensures that your DMARC policies accurately reflect your legitimate sending infrastructure. This in turn strengthens your email security posture, improves deliverability, and helps protect your domain from unauthorized use and potential blocklisting, ultimately contributing to better email reputation.

Remember, DMARC is a powerful tool for monitoring and enforcing email authentication, but its effectiveness relies on accurate configuration and continuous vigilance. Proactive monitoring of your DMARC reports and DNS settings is key to maintaining a healthy and secure email ecosystem.

Views from the trenches

Best practices

Routinely audit all DNS records, especially SPF, to ensure only authorized sending sources are included and remove any obsolete or mistakenly added entries.

Implement a clear process for all software purchases and deployments to prevent 'shadow IT' and ensure all email-related services are properly configured and known to the IT department.

Educate your team on DMARC, SPF, and DKIM best practices, emphasizing the importance of accurate configuration to avoid deliverability and security issues.

Maintain a comprehensive inventory of all third-party email services used by your organization to quickly cross-reference with DMARC reports and identify unexpected senders.

Common pitfalls

Adding SPF 'include' statements for services seen in DMARC reports without verifying actual sending or service contracts, leading to unintended SPF passes for irrelevant IPs.

Overlooking the possibility of user-installed plugins or applications that relay email through standard channels, bypassing central IT oversight.

Failing to conduct a full DNS lookup to 'flatten' SPF records, which can hide nested 'include' statements that point to unexpected third-party IPs.

Relying solely on simplified DMARC dashboard views that might show 100% compliance when only one authentication mechanism passes, masking underlying issues.

Expert tips

Always inspect the raw DMARC aggregate reports for granular detail on IP addresses and authentication outcomes, as summarized dashboards can be misleading.

If an email security gateway is truly deployed, ensure its IP ranges are correctly authorized in your SPF record and that DKIM is properly handled, either by the gateway signing or preserving your original signature.

For outbound emails seemingly routed through an external security service like Avanan, confirm if your organization is explicitly paying for or routing mail through this service. Check financial records for billing under Check Point or its partners.

Remember that DMARC 'pass' can occur if either SPF or DKIM aligns, even if one mechanism is unintentionally configured or the service is an intermediary rather than a direct sender.

Marketer view

A marketer from Email Geeks says: An unexpected DMARC entry might indicate an encrypted mail offering from Avanan, and checking purchase orders or invoices can help identify unapproved services.

2024-11-12 - Email Geeks

Marketer view

A marketer from Email Geeks says: Unexpected DMARC entries could stem from "shadow IT," where someone in the organization deployed a service, potentially an Outlook plugin, that relays through Microsoft 365 without informing the main IT department.

2024-11-12 - Email Geeks