1 Topic by udi111

  • udi111
  • Member
  • Offline
  • Registered: 2011-09-03
  • Posts: 19

Topic: dmarc fails when recipient auto-forwards to gmail

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.0
- Deployed with iRedMail Easy or the downloadable installer? dl
- Linux/BSD distribution name and version: deb10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): my
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

I need your help, I don't know if I misconfigured something, or it's just how DMARC works, anyway this is beyond my knowledge.

When the recipient auto-forwards the mail to gmail, DMARC fails.

My dns records:

mydomain.com    1800    MX    10 mx.mymaildomain.com
mydomain.com    1800    TXT    v=spf1 mx ~all
mydomain.com    1800    TXT    v=DMARC1; p=reject; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com
dkim._domainkey.mydomain.com    1800    TXT    v=DKIM1; p=...

I use the same DKIM record for all of my domains:

dkim_key('mymaildomain.com', 'dkim', '/var/lib/dkim/mymaildomain.com.pem');
@dkim_signature_options_bysender_maps = ({
    '.' => {d => 'mymaildomain.com',
            a => 'rsa-sha256',
            c => 'relaxed/simple',
            ttl => 30*24*3600 },
});


The google report for the PASSED (I posted this because there's already a dkim fail):

<record>
    <row>
        <source_ip>my.ip</source_ip>
        <count>30</count>
        <policy_evaluated>
            <disposition>none</disposition>
            <dkim>fail</dkim>
            <spf>pass</spf>
        </policy_evaluated>
    </row>
    <identifiers>
        <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
        <dkim>
            <domain>mymaildomain.com</domain>
            <result>pass</result>
            <selector>dkim</selector>
        </dkim>
        <spf>
            <domain>mydomain.com</domain>
            <result>pass</result>
        </spf>
    </auth_results>
</record>

With the forwarded messages, SPF softfails, so DMARC rejects:

  <record>
    <row>
      <source_ip>not.my.ip</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>reject</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mymaildomain.com</domain>
        <result>pass</result>
        <selector>dkim</selector>
      </dkim>
      <spf>
        <domain>mydomain.com</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>

thanks
adam

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: dmarc fails when recipient auto-forwards to gmail

Try SRS: https://docs.iredmail.org/srs.html

3 Reply by udi111

  • udi111
  • Member
  • Offline
  • Registered: 2011-09-03
  • Posts: 19

Re: dmarc fails when recipient auto-forwards to gmail

Sorry if it wasn't clear enough, it is about the outgoing mails, some of which are then forwarded towards (without srs, probably), which I have no control over.

Are my settings ok?

4 Reply by udi111

  • udi111
  • Member
  • Offline
  • Registered: 2011-09-03
  • Posts: 19

Re: dmarc fails when recipient auto-forwards to gmail

Well, it seems to be fixed, since I configured amavis dkim keys per-domain, instead of catch-all.

The lazy works twice.
But he always learns something new smile

cheers