On 06/04/2017 20:12, Yeo via dmarc-discuss wrote: > > > We enabled DMARC verification at our mail gateway level, we noticed a > lot of mails failed DMARC verification due send on behalf. > > Those mails are legitimate mail how suggest that we can apply in order > to ensure our verification will not fail those sender? >
Since you mention doing verification on your gateway, I'm guessing you are referring to messages sent to your domain from the Internet? And further that these are messages ostensibly from a user in Domain A, using their email address in the RFC5322.From, but in fact sent from Domain B. So there's no SPF pass according to Domain A's policy, and Domain B doesn't sign with a DKIM key from Domain A, and Domain A publishes a DMARC policy with a policy of quarantine or reject (e.g. "p=reject")? If all that's true, I think your gateway is doing what Domain A requested you do with messages that don't pass DMARC checks. If you're referring to mailing list traffic, this is a known issue, and there is on-going work in the IETF DMARC Working Group to address it. There is another protocol, ARC, that is meant to address that and similar use cases (see http://arc-spec.org for info). If that's not the kind of situation you're seeing, feel free to provide some more detail. --S.
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
