Hello Paul,
I acknowledge that this was a well-meaning comment by you, so I skipped
the somewhat more polemic reply I had typed before.
> Maybe avoid putting URLs into the message?
I find this wording 'a bit difficult'.
Proofpoint is a for-profit company that offers email security services
to paying clients. I am some academic hosting digital infrastructure
for a non-profit on my own dime.
My mails follow best practices (including ARC ;-)). Proofpoint breaks
DKIM/SPF and does not monitor their client's setups for
misconfigurations that are incompatible with the services Proofpoint is
selling to their clients.
The mails I send are (to a degree) bulk-ish/automated; It is
notifications of a review system, letting people know that, e.g., a new
comment was received on a paper they reviewed, somebody highlighted
them in a discussion etcetc. The "user base" has been well trained to
this mail/workflow for _decades_.
These mails contain links to, e.g., the paper site, so you can directly
look at the comment etc.
Suggesting I should now change the system so proofpoint does not have
to fix their business feels ... untenable if not an actual non-starter.
> Then there will be no URLs for UD to rewrite (and assuming no warning
> tags, etc) then DKIM will remain valid.
There are a couple of other, equally feasible, options here; Please
feel free to bump them to the product team internally:
- If an in-system change is too complicated and/or to have an
end-to-end monitoring, implement a monitoring feature that tests for
this specific class of misconfigurations for all clients, and send a
note to the admin contact of the client if it happens; This should
not be too difficult. I'd bet that this could be built in less than a
week (day?):
- expose URL you can throw a dst_addr and and token at
- Test-cases from a few test domains (p=
[none|reject|quarrantine|no DMARC], SPF [+all|-
all|~all|none]
and DKIM [valid|force_invalid|none] in all combinations) are
sent
- If a bounce is received from the PP cluster, a callback is
is called (or maybe just an email to the PP ticketsystem)
I am actually sufficiently annoyed with this issue that I'd be
offering to build _and_ host that service for free, if PP was not a
for profit company... -.-'
- Just monitor for this kind of failure in-line and notify if it
happens. If the mail was authenticated well when PP got it, but no
longer is when relaying, there seems to be sth. wrong on the client's
side
- Start supporting ARC and get into contact with (at least) the two big
ESPs where this regular is an issue so it no longer is an issue
> Should at least be good enough to explain to someone there that they
> need to fix their settings.
As I presume that everyone on this list had to click through "one of
those" security trainings once or twice in their career,... I guess we
all know how
"Hey, I am Tobias from $other_org; WE are having
issues sending you emails. Could you please fix some global
admin settings in Google workspace so we can send mails again..."
should be handled... ;-)
With best regards,
Tobias
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
