DMARC might be blocking your email notifications from Jira

@Praveen Prabhakar Thanks for sharing this and the workarounds for Cloud JIRA users.

Few questions-

1. This issue of DMARC failure is only for Jira cloud, its not for Jira hosted?

2. Is any roadmap there for the resolution of this issue in near future?

3. Is this issue also happening with Jira ServiceDesk cloud?

We uses GSuite as our mail server, how to do workaround with this so that not even our employees, outside users also get email in inbox?

@Shailendra Yes this is also happening for Jira ServiceDesk cloud.

However this article misses the point - what is missing from the implementation is signing the outgoing messages with the correct DKIM signature so that DKIM aligns and passes the DMARC checks. 

Fixing the issue doesn't require a 'email suppression list' - it just requires sent emails to be signed with the correct DKIM signature for the custom domain rather than the *.atlassian.net domain. 

@Praveen Prabhakar your competitors implement this correctly - why is it so hard to implement it at Atlassian?

@James Sharpe thanks for the response. I am 100% sure that @Praveen Prabhakar from Atlassian team will not have any firm answer on this and cannot provide us any clear picture on roadmap of implementing this feature on Jira cloud.

Instead of using sendgrid for the email-delivery, I would recommend to allow usage of our own mail servers. Adding SMTP/IMAP-accounts is already possible in Jira, why not using those for the notifications?

Sending Mail through the customers' mail server would also allow different handling between Jira-notifications (they would now be internal emails) and emails from outside.

Maybe, we should switch to YouTrack.

I'm a Jira Service Desk customer (not for long, we are migrating out due to this). It blows my mind that, regardless of the fact that literally every customer service platform I have looked into other than Jira Service Desk does this correctly, Atlassian finds it acceptable to have their outgoing Service Desk mail categorized as spam when using a customer domain. You all do know that this is a huge deal-breaker, right? Our customers cannot see our replies to their support requests because they end up in spam. We are not going to ask them to whitelist our domain as that is just ridiculous and makes us look like we don't know what we are doing.

I am scared too. How can that be? Why is neither one (correct DKIM signature) nor the other (sending mail through the customers mail server) supported? This is a big nuisance for us!

So.. of the 3 "workarounds" above.

The first means "gets every customer to manually white list your domain" (and look unprofessional)

or

Send all your email through Atlassian's domain and look unprofessional

or

Set Dmarc to None and look unprofessional while opening yourself up to spoofing and phishing

I am genuinely staggered that Atlassian are offering these "workarounds" and not actually addressing the problem.

No where is the option to "use your own smtp gateway" or any way to actually secure your outgoing email and look like a competent company!

I'm not the only one thinking this is actually a deal breaker and for my company it really really is.

In addition to the comments from @Iain Alexander above, workaround #1 requires customers to whitelist a whole list of IP ranges including:

167.89.0.0/17

This is SendGrid's outgoing IP range, which means that we need to open ourselves up to any and all phishing and spam content sent through SendGrid - absolutely unacceptable as a solution.

This can't be real.... We are in the year 2020 and Atlassian doesn't know how to send emails?!

We just switched to Jira Services Desk and I come across this as our internal customers are getting emails marked as [SPOOF]. The only workaround would be to open up to the full range of IPs from sendgrid, which is ABSOLUTELY NOT ACCEPTABLE. If we can't find a quick acceptable solution to this problem, we will be saying goodbye to Jira.

I hope someone at Atlassian is looking into the need for better tech leadership and can provide an explanation.

It's terrible. Atlassian, please, do something with that.

If you are using SendGrid, can we just use our own API key for sending?

I already have SendGrid working correctly.

I have also spent a lot of time setting up jira service desk. I really hope that Jira can provide a solution because besides this issue I've been very satisfied with their toolkit.

Hopefully someone takes note of the comments above and provides a solution ASAP

The sendgrid aspect is challenging given there have been a number of observed phishing attacks that are perpetuated through abusing their services. Put another way, the whitelisting approach is effectively asking to whitelist a phishing platform given the way sendgrid gets abused. I think the ask here would be a bit more tolerable if you were using something like AWS SES, are there any plans to move away from sendgrid?

sigh... WL sendgrid is not tenable and disabling DMARC is not happening. Next?

Who else is watching this issue in 2022 while this problem is there since ages and see that Atlassian didn't fixed this?  They are not even thinking about fixing it... they are at the "GATHERING INTEREST" on JRASERVER-40169 since 2014! 

@Christian de Bellefeuille This has been implemented recently.

Have a look at https://community.atlassian.com/t5/Jira-Service-Management-articles/Doing-Jira-Service-Management-Customer-Notifications-Right/ba-p/1877664?utm_campaign=kudos_article&utm_content=topic&utm_medium=email&utm_source=atlcomm 

Clarification, does that solution cover both service management projects and software projects? Put another way, does this solution for both external email-based communications (i.e. service management project notifications) and also internal email notifications (i.e. software project notifications)?

@Matthew Casperson To my understanding Atlassian finally made the effort to solve both issues.

@Jeff Reek , i'll have a look at this, thanks