Dear List I have come across a strange problem.
One of our customers is forwarding his emails to his google account. We do implement SRS to rewrite the envelope sender to match our SPF record. All other headers are preserved, in case they are DKIM Signed. Google rejects the emails with: <google destination email>: host gmail-smtp-in.l.google.com[2a00:1450:4013:c00::1b] said: 550-5.7.1 Unauthenticated email from mail.ru is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact the administrator of mail.ru domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.1 DMARC initiative. m43si134563edm.154 - gsmtp (in reply to end of DATA command) Ok I have not yet stumbled over a lot of email senders using DMARC. So I read on: https://en.wikipedia.org/wiki/DMARC Did I get that right? DMARC checks that the envelope-from and From: header are 'aligned'? Well how the hell should that work when an email is being forwarded? SPF requires that I rewrite the envelope sender, DKIM requires that I don't alter the signed From: Header, DMARC requires that I do alter the From: Header? And where the heck does mail.ru publish it's DMARC policy via DNS? mail.ru has address 217.69.139.201 mail.ru has address 94.100.180.201 mail.ru has address 217.69.139.200 mail.ru has address 94.100.180.200 mail.ru name server ns3.mail.ru. mail.ru name server ns1.mail.ru. mail.ru name server ns2.mail.ru. mail.ru has SOA record ns1.mail.ru. hostmaster.mail.ru. 3300745053 900 900 604800 60 mail.ru mail is handled by 10 mxs.mail.ru. mail.ru descriptive text "v=spf1 redirect=_spf.mail.ru" mail.ru has IPv6 address 2a00:1148:db00:0:b0b0::1 _spf.mail.ru descriptive text "v=spf1 ip4:94.100.176.0/20 ip4:217.69.128.0/20 i" "p4:128.140.168.0/21 ip4:188.93.58.0/24 ip4:195.2" "11.128.0/22 ip4:188.93.59.0/24 ip4:128.140.170.0" "/24 ip4:178.22.92.0/23 ip4:185.5.136.0/22 ip4:5." "61.237.0/26 ip4:5.61.237.128/25 ip4:5.61.236.0/2" "4 ip4:5.61.239.143/32 ip4:5.61.239.144/32 ~all" Well his somehow looks like a broken SPF record. Anyway ~all would specify softfail and not reject. Can anyone help putting the puzzle together? How would one correctly implement email forwarding which works with all kind of SPF, DKIM and DMARC Variants? And yes I know, email forwarding is considered bad(tm), but it is still widely used. -BenoƮt Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop