Dear List
I have come across a strange problem.
One of our customers is forwarding his emails to his google account.
We do implement SRS to rewrite the envelope sender to match our SPF
record.
All other headers are preserved, in case they are DKIM Signed.
Google rejects the emails with:
<google destination email>: host
gmail-smtp-in.l.google.com[2a00:1450:4013:c00::1b] said: 550-5.7.1
Unauthenticated email from mail.ru is not accepted due to domain's
550-5.7.1 DMARC policy. Please contact the administrator of mail.ru
domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1
https://support.google.com/mail/answer/2451690 to learn about the
550 5.7.1 DMARC initiative. m43si134563edm.154 - gsmtp (in reply to end
of DATA command)
Ok I have not yet stumbled over a lot of email senders using DMARC. So
I read on: https://en.wikipedia.org/wiki/DMARC
Did I get that right? DMARC checks that the envelope-from and From:
header are 'aligned'?
Well how the hell should that work when an email is being forwarded?
SPF requires that I rewrite the envelope sender, DKIM requires that I
don't alter the signed From: Header, DMARC requires that I do alter the
From: Header?
And where the heck does mail.ru publish it's DMARC policy via DNS?
mail.ru has address 217.69.139.201
mail.ru has address 94.100.180.201
mail.ru has address 217.69.139.200
mail.ru has address 94.100.180.200
mail.ru name server ns3.mail.ru.
mail.ru name server ns1.mail.ru.
mail.ru name server ns2.mail.ru.
mail.ru has SOA record ns1.mail.ru. hostmaster.mail.ru. 3300745053 900
900 604800 60 mail.ru mail is handled by 10 mxs.mail.ru.
mail.ru descriptive text "v=spf1 redirect=_spf.mail.ru"
mail.ru has IPv6 address 2a00:1148:db00:0:b0b0::1
_spf.mail.ru descriptive text "v=spf1 ip4:94.100.176.0/20
ip4:217.69.128.0/20 i" "p4:128.140.168.0/21 ip4:188.93.58.0/24
ip4:195.2" "11.128.0/22 ip4:188.93.59.0/24 ip4:128.140.170.0" "/24
ip4:178.22.92.0/23 ip4:185.5.136.0/22 ip4:5." "61.237.0/26
ip4:5.61.237.128/25 ip4:5.61.236.0/2" "4 ip4:5.61.239.143/32
ip4:5.61.239.144/32 ~all"
Well his somehow looks like a broken SPF record. Anyway ~all would
specify softfail and not reject.
Can anyone help putting the puzzle together?
How would one correctly implement email forwarding which works with all
kind of SPF, DKIM and DMARC Variants?
And yes I know, email forwarding is considered bad(tm), but it is still
widely used.
-BenoƮt Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
