Configuring DMARC for Email Alerts in VMware Live Cyber Recovery (VLCR)
search cancel

Configuring DMARC for Email Alerts in VMware Live Cyber Recovery (VLCR)

book

Article ID: 417666

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

This article provides the configuration steps required when enforcing DMARC (Domain-based Message Authentication, Reporting & Conformance) policies, or when email alerts from VMware Live Cyber Recovery (VLCR) are not being received due to domain spoofing protections.

If an organization enforces a strict DMARC policy (p=quarantine or p=reject), these alerts will fail authentication checks and be rejected or flagged as spam because the "Header From" address does not align with a verified "Envelope From" (MAIL FROM) domain.

Environment

VMware Live Cyber Recovery (SaaS)

Resolution

To ensure that VLCR alert notifications pass DMARC checks, the "Header From" address must align with a verified "MAIL FROM" subdomain. This requires a three-step process involving DNS updates and coordination with Broadcom Support.

1. Configure a Dedicated Subdomain in DNS: Create a dedicated subdomain (e.g., vlcr.<yourdomain>.com) to authorize Amazon SES to send mail on behalf of the organizational domain.

Add the following records to the DNS provider:

  • MX Record: Directs mail feedback to the Amazon SES endpoint.

    • \tName: vlcr.<yourdomain>.com

    • Type: MX

    • Value: 10 feedback-smtp.<region>.amazonses.com (Ensure the region matches the VLCR instance, e.g., us-west-2)

  • SPF (TXT) Record: Authorizes Amazon SES infrastructure.

    • Name: vlcr.<yourdomain>.com

    • Type: TXT

    • Value: "\v=spf1 include:amazonses.com ~all"

2. Engage the Broadcom Support team for "Easy DKIM," as VLCR is a managed SaaS platform and end users cannot access the backend Amazon SES console.

  • Open a support ticket with Broadcom Support and provide the newly created subdomain details.

  • Support will enable Easy DKIM for the tenant instance.

  • Broadcom Support will provide three (3) CNAME records generated by Amazon SES. Add these records to the organizational DNS to enable DKIM signing, which is critical for DMARC "Pass" results.

3. Internal Validation and DMARC Compliance Once all DNS records have propagated globally:

  • Provide the sample email, including full headers, to the internal IT/Security team.

  • Verify the email headers reflect DMARC: PASS. This confirms the "Header From" domain matches the "Envelope From" subdomain.

Additional Information

AWS SES Custom MAIL FROM Domain Documentation:  Using a custom MAIL FROM domain

Configure Email Alerts on VLCR.

Powered by Wolken Software