On 8/2/2024 10:10 AM, Tobias Fiebig via mailop wrote:
Moin,
I just got poked by a user that mail delivery for a review system fails
to some users;
Specifically, organizations using cloud-hosted Proofpoint setups
forwarding to google workspace.
Specifically:
- A DKIM signed SPF valid mail is delivered to the MX of example.com;
These are pp-hosted's servers.
- Proofpoint does as proofpoint does, breaking DKIM
Many of their customers use External Warning Tags, which inserts
external warning text into the message body, obviously breaking the
original DKIM body hash. (i.e. DKIM breaking is entirely dependent on
the customer configuration)
- Proofpoint then relays the message to the final destination: Google
- Google then rejects the message, as it fails DKIM and SPF;
Is the mail following this flow?
Original Sender server - > MX (PP Hosted cluster) - > Inbound mail route
to the PP customer's mail store (Google Workspace)
If so, the Proofpoint-protected Google Workspace tenant owner needs to
configure it (workspace) to not enforce email authentication policy, as
SPF/DKIM auth will almost certainly be broken by the filter, and DMARC
(where applicable) will fail for nearly all mail.
Odds are they're probably not receiving a *lot *of mail if this is the
case. Another prime example of not following configuration requirements.
Does somebody have input on which of the following options is the most
sensible one (i kind of dislike most of them):
- Set p=none and ~all; Hope that this is enough for google (doubt; But
would appreciate experience reports on this)
SPF ~all would be the best case for maximum delivery with a strict DMARC
policy. DMARC p=none would technically fix the problem, but obviously
introduces more security concerns.
- Include the barrage of SPF includes from all major relayers, i.e.,
pp, gmail/gworkspaces, ms/o365
I'm sure you know this - but... pls no.
- Complain on mailop@, hoping to get proofpoint and gmail to agree on
trusting each other's ARC signatures if proofpoint breaks DKIM and
SPF
Proofpoint doesn't seal ARC yet, unfortunately. Believe me, I've
/vehemently /begged for it from their Product teams, as have many others.
- Mark Alley
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
