Looking at the messages from that IP getting that rejection message, I'm seeing a lot of DKIM body hash did not verify, I'd also verify that your system isn't modifying the messages that it is forwarding.
Brandon On Tue, Sep 12, 2023 at 8:20 PM Brandon Long <[email protected]> wrote: > That message did not have a DKIM header ... or was so garbled that we > didn't extract it. > > Due to DKIM replay, we may spam reject forwarded messages that DKIM verify > but not SPF, but those would not have that rejection message. > > And yes, we are continuing to ramp no auth, no entry. > > I'm sure I've had a long explanation on here in the past year, but the > short answer is if the message is not DKIM valid and you're forwarding, you > should rewrite > the MAIL FROM to a domain you own that will SPF authn the message... and > try not to forward spam. > > Brandon > > On Tue, Sep 12, 2023 at 6:00 PM Jason R Cowart via mailop < > [email protected]> wrote: > >> We are seeing an increasing number of bounces by Gmail related to failed >> authentication checks. The bounces include language like: >> >> <<< 550-5.7.26 This mail is unauthenticated, which poses a security risk >> to >> the >> <<< 550-5.7.26 sender and Gmail users, and has been blocked. The sender >> must >> <<< 550-5.7.26 authenticate with at least one of SPF or DKIM. For this >> message, >> <<< 550-5.7.26 DKIM checks did not pass and SPF check for [mcn.org] did >> not >> pass >> <<< 550-5.7.26 with ip: [67.231.157.125]. The sender should visit >> <<< 550-5.7.26 >> https://support.google.com/mail/answer/81126#authentication >> for >> <<< 550 5.7.26 instructions on setting up authentication. >> z6-20020a05622a028600b00403a8e58423si1377805qtw.448 - gsmtp >> 554 5.0.0 Service unavailable >> >> >> >> This is occurring in situations where our users forward their mail to a >> personal Gmail account. SPF checks will of course fail in the scenario, >> but DKIM checks should pass. In fact, they most often do pass—users >> impacted by this are only seeing a small subset of their mail from a given >> sender bounced (which often times will be a Gmail sender). In cases where >> the user retains a copy locally we’ve been able to verify that the DKIM >> signature was present and was successfully validated by our system. >> >> Is anyone else experiencing this? >> >> Is anyone from Google could reach out to me off-list to discuss that >> would be much appreciated. >> >> >> >> Best, >> >> Jason Cowart >> >> Stanford University IT >> _______________________________________________ >> mailop mailing list >> [email protected] >> https://list.mailop.org/listinfo/mailop >> >
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
