On Apr 26, 2014, at 7:58 PM, Paul Scott <[email protected]> wrote: > > What happens is that a user, say using Yahoo! Mail, sends an e-mail to > someone whose domain I host (pretend it’s example.com), and that someone > wishes their e-mail forwarded automatically to, say, Gmail. That is, > [email protected] pens an e-mail to [email protected] who wishes to pick > up mail on Gmail. In this case, the Gmail server rejects the forwarded mail > from example.com, not on the basis of DKIM, but on the basis of Yahoo! mail > DMARC policy. Straight away, this is a huge problem if one wishes the From: > header to remain unchanged (a reasonable expectation). It means, as I > understand it, that DMARC prevents such forwarding. I find this an > unacceptable situation in a reasonable scenario. > > Since the only solution to avoid the rejected mail seems to be modifying the > original From: header — which I’ve reluctantly done -- to one that passes (or > completely avoids) DMARC at the forwarded server, and applying a new > Reply-To: header — assuming one didn't already exist, which you’d of course > want to keep -- a totally new an unacceptable problem arises: If the original > sender signed/encrypted the e-mail message, then modifying the From: header > will cause their x.509 certificate to fail validation; the entity in the > From: header does not match the certificate’s entity. This has nothing to do > with DKIM, as some people seem to be suggesting. > > I certainly understand the concept under which DMARC arose, but I have to say > — unless I’m missing something — that the implementation is not very useful > except in a very restricted scenario. When mail services used by the general > public adopt DMARC, then something as simple as forwarding mail intact > becomes an impossibility. > > If there is a reasonable solution that I’ve overlooked, I’d appreciate > someone’s input. Thanks.
If you're just doing simple forwarding - no body modification, no header modification (other than adding a received header) then it should "just work". If it's not, you probably need to diagnose what you're doing to the mail to invalidate the DKIM signature. Cheers, Steve _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
