Unable to receive emails from RSA's customer support ticketing system and/or our ID Plus mail service
Originally Published: 2023-12-08
Article Number
Applies To
Issue
Resolution
- RSA uses the @rsa.com and @securid.com domains for customer support and product notifications.
- RSA does send certain emails using third-party services, such as Salesforce or Amazon Simple Email Service
- RSA has configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) signing, and a Domain-based Message Authentication Reporting and Conformance (DMARC) policy which is set to reject to minimize the risk of emails being spoofed from our domains.
- RSA has ensured that all third party services which send email on our behalf are properly configured to align with our DMARC policy – that is, the message is signed with our published DKIM keys and/or passes SPF record checks.
In cases where RSA has been asked to investigate failed email delivery, we have found that the most common cause for the message being rejected is a dual mail filter on the recipient’s end. In these cases, the recipient had a mail filter which rejects, quarantines, or delivers the email to the destination mail server. If the destination mail server also has filtering enabled, special configuration is required to prevent SPF (and in some cases DKIM) failure.
This is caused by the fact that routing the mail through the upstream filter causes the destination server to see the mail filter’s IP as the sending IP and therefore, fail the SPF checks. Additionally, some mail filters will also modify the message causing an invalid DKIM signature due to the hash of the message being invalidated.
To prevent these issues, the destination mail server must be properly configured. One way to accomplish this is by disabling all spam filtering on the destination server and relying on the mail filter to perform all inspection. Some email providers (for example, Microsoft) have additional options that allow some filtering to remain in place on the destination server.
Below are some links to documentation from vendors that explain the configuration required to accommodate upstream mail filtering:
Related Articles
Error message "Our process does not support use of public accounts" when registering for an RSA Community or myRSA account Number of Views Unable to authenticate on AD FS servers that are using different language than the default English-US when RSA Authenticat… Number of Views In RSA Identity Governance & Lifecycle While attempting to create/modify review definition, when we include users with Dat… Number of Views Way We Do - RSA Ready Implementation Guide Number of Views Way We Do - SAML Relying Party Configuration - RSA Ready Implementation Guide Number of Views
Trending Articles
RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) Troubleshooting RSA SecurID Access Application Portal unsuccessful logon message due to a bad identity source bind RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
