Issue Summary

• When Atlassian needs to bounce a customer’s incoming email, we send a Delivery Status Notification (DSN) from bounce@atlassian.net explaining why the message was bounced. These DSN/bounce emails are currently failing DMARC alignment because they are sent via Amazon SES and authenticated as amazonses.com rather than atlassian.net.
• For customers enforcing strict DMARC (p=reject or p=quarantine) on atlassian.net, these failures cause Atlassian-generated bounce notifications to be rejected or quarantined. As a result, customers may not receive important information about why their emails to Atlassian/Jira were not delivered and cannot treat these DSNs as trusted messages.

  Steps to Reproduce

1. Send any email to a non-existent Jira Cloud mailbox, for example:
   jira@thistenantdoesnotexistinatlassian.atlassian.net
   You should receive a bounce/DSN email indicating that the mailbox doesn’t exist.
2. Observe that the bounce email has the From address:
   bounce@atlassian.net
   which belongs to the atlassian.net domain (with DMARC policy set on that domain).
3. On a domain enforcing DMARC with p=reject or p=quarantine for atlassian.net, check how this DSN is handled by the receiving mail gateway.
   • In many cases it will be quarantined or rejected.
4. Inspect the headers of the bounce email. Typical example (customer case):
   • From: bounce@atlassian.net
   • Sent via Amazon SES (aXX-YY.smtp-out.amazonses.com, IPs like 54.240.14.90)
   • DKIM-Signature: d=amazonses.com
   • Authentication-Results:
     • spf=none or not aligned with atlassian.net
     • dkim=pass header.d=amazonses.com
     • dmarc=fail action=reject header.from=atlassian.net
5. Because the From domain is atlassian.net, but the authenticated identities are for amazonses.com and/or non-aligned SPF, the message fails DMARC alignment and is treated as suspicious by DMARC-enforcing receivers.

Expected Results

• Bounce / DSN emails from bounce@atlassian.net should pass DMARC for the atlassian.net domain.
• Specifically:
  • Either SPF or DKIM (or both) should align with atlassian.net under the configured DMARC mode (relaxed/strict).
  • Customers enforcing DMARC on atlassian.net should be able to reliably receive and trust Atlassian-generated DSNs related to their mail.

Actual Results

• Bounce / DSN emails from bounce@atlassian.net fail DMARC alignment when received by domains enforcing DMARC for atlassian.net.
• Because the From address is bounce@atlassian.net and Atlassian’s DMARC policy for atlassian.net is set to p=reject (and sp=reject for subdomains), the recipient’s mail gateway correctly:
  • Rejects or quarantines these DSNs, and
  • Prevents end users from seeing why their original email to Jira/Atlassian bounced.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available