Moin, I just got poked by a user that mail delivery for a review system fails to some users;
Specifically, organizations using cloud-hosted Proofpoint setups forwarding to google workspace. Specifically: - A DKIM signed SPF valid mail is delivered to the MX of example.com; These are pp-hosted's servers. - Proofpoint does as proofpoint does, breaking DKIM - Proofpoint then relays the message to the final destination: Google - Google then rejects the message, as it fails DKIM and SPF; While the domain--generally--has a DMARC policy of p=reject and an SPF -all, some of the bounces i just received from google read like they now enforce p=reject globally, regardless of the sender's preferences / actual policy: https://support.google.com/a/answer/81126#authentication """ *Email authentication requirements & guidelines* We require that you set up these email authentication methods for your domain: - All senders: SPF or DKIM - Bulk senders: SPF, DKIM, and DMARC """ Does somebody have input on which of the following options is the most sensible one (i kind of dislike most of them): - Set p=none and ~all; Hope that this is enough for google (doubt; But would appreciate experience reports on this) - Include the barrage of SPF includes from all major relayers, i.e., pp, gmail/gworkspaces, ms/o365 - Complain on mailop@, hoping to get proofpoint and gmail to agree on trusting each other's ARC signatures if proofpoint breaks DKIM and SPF With best regards, Tobias _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
