Paul, To me it seems because your mail server breaks DKIM when forwarding. DMARC relies on DKIM not getting broken in your scenario.
Here what I propose you. 1) open an email account at gmail 2) open an email account at yahoo 3) acquire a private domain and get it to relay all mails to the yahoo account 4) send an email from the gmail account to the private domain 5) check the authentication results on the email you received at gmail 6) see that DKIM was broken 7) fix your mail server until DKIM does not break If you tell us what mail server you use to forward, may be we can point you to some information on how to preserve DKIM. How that sounds? Printed on recycled paper! On Apr 26, 2014, at 19:58, "Paul Scott" <[email protected]<mailto:[email protected]>> wrote: On Apr 26, 2014, at 4:40 PM, Franck Martin <[email protected]<mailto:[email protected]>> wrote: I’m not sure the original email from Paul Scott, was about him running a mailing lists, or something like this… So I think, it was best to put aside the mailing list issue and help him to solve his problem. Let’s focus on problem solving. It seems he just forward emails from the internet to their customers to their yahoo/gmail address via their personal domain he hosts … He should have noticed these errors earlier (DKIM failing), but it may not have had the level of visibility the yahoo/aol policy change brought. There are a few well known large forwarders/hosting providers that breaks DKIM when doing just a forwarding. DMARC is only highlighting them and encouraging them to fix their infrastructure. DKIM is an IETF proposed standard since 2007. Time the infrastructure be friendly with it. Frank, You are right on the mark. The situation has nothing to do with a mailing list, and were I running a mailing list neither DKIM nor DMARC would be an issue here. What happens is that a user, say using Yahoo! Mail, sends an e-mail to someone whose domain I host (pretend it’s example.com<http://example.com>), and that someone wishes their e-mail forwarded automatically to, say, Gmail. That is, [email protected]<mailto:[email protected]> pens an e-mail to [email protected]<mailto:[email protected]> who wishes to pick up mail on Gmail. In this case, the Gmail server rejects the forwarded mail from example.com<http://example.com>, not on the basis of DKIM, but on the basis of Yahoo! mail DMARC policy. Straight away, this is a huge problem if one wishes the From: header to remain unchanged (a reasonable expectation). It means, as I understand it, that DMARC prevents such forwarding. I find this an unacceptable situation in a reasonable scenario. Since the only solution to avoid the rejected mail seems to be modifying the original From: header — which I’ve reluctantly done -- to one that passes (or completely avoids) DMARC at the forwarded server, and applying a new Reply-To: header — assuming one didn't already exist, which you’d of course want to keep -- a totally new an unacceptable problem arises: If the original sender signed/encrypted the e-mail message, then modifying the From: header will cause their x.509 certificate to fail validation; the entity in the From: header does not match the certificate’s entity. This has nothing to do with DKIM, as some people seem to be suggesting. I certainly understand the concept under which DMARC arose, but I have to say — unless I’m missing something — that the implementation is not very useful except in a very restricted scenario. When mail services used by the general public adopt DMARC, then something as simple as forwarding mail intact becomes an impossibility. If there is a reasonable solution that I’ve overlooked, I’d appreciate someone’s input. Thanks. Paul
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
