Re: SPF/DMARC modified by host en route

[Jeff Abrahamson]

On 26/04/2021 14:46, Dominic Raferd wrote:
>
> On 26/04/2021 13:31, Jeff Abrahamson wrote:
>> On 26/04/2021 12:56, Dominic Raferd wrote:
>>> On 26/04/2021 10:16, Jeff Abrahamson wrote:
>>>> I'm seeing a disturbing (but minority) number of hosts that class our
>>>> mail is spam.  After some digging, I've found an interesting test
>>>> case.  What I'm uncertain of is if this represents a config error on
>>>> our side or a (grossly) misbehaving mail host elsewhere.
>>>>
>>>> The interesting test case is a correspondent with a private domain
>>>> (per...@example.com) and a gmail address (per...@gmail.com), both of
>>>> which deliver to his gmail address.  That is, MX for example.com
>>>> points to mx01.1and1.fr but the mail is still delivered to
>>>> per...@gmail.com.
>>>>
>>>> When I mail to per...@gmail.com, he receives the mail fine, and gmail
>>>> reports that SPF, DKIM, and DMARC all pass.
>>>> When I mail to per...@example.com, he receives the mail classed as
>>>> spam, gmail reports that SPF is neutral, DMARC fails (and DKIM
>>>> passes).
>>>>
>>>> Now what's odd is that gmail reports that SPF passes with the IP of
>>>> my MX, but in the other case that it fails with the address of
>>>> mout.kundenserver.de.  We've confirmed that mout.kundernserver.de
>>>> handles mail to him via 1and1.fr, but not what could be causing an
>>>> issue.
>>>>
>>>> Mangling headers so badly to cause SPF/DMARC failures seems so
>>>> egregious that I'm inclined to think it's somehow our fault.
>>>>
>>>> (Note: this is about mail for mobilitains.fr and not p27.eu.)
>>>>
>>> When the third party relays your mail from their own mailserver into
>>> gmail it breaks SPF because gmail sees the email coming from the third
>>> party mailserver IP, not from your IP. This is outside your control
>>> unless you want to add all the 3rd party's outgoing email IPs as valid
>>> for your SPF record, which is not advisable. But it should not be a
>>> problem - gmail does not block emails purely on SPF failure. Nor
>>> should anyone else IMO.
>>>
>>> If you use DMARC then ensure that you DKIM-sign all your emails and
>>> they will pass DMARC testing when they reach gmail via the 3rd party
>>> relay (despite SPF failure), this may also improve the reputation of
>>> your email domain within gmail.
>> Thanks.  That's what I thought, too.  But this is the strange thing:
>> gmail reports that the DKIM signature is good even while complaining
>> that DMARC fails.  (And so gmail classes as spam, apparently.)
>>
>> DMARC policy is set to "v=DMARC1; p=none; rua=mailto:dm...@p27.eu"; (for
>> _dmarc.mobilitains.fr).
> That is strange, can you provide an example ARC-Authentication-Results
> header from mx.google.com?

Sure thing.  With just a couple mods (to delete people's identities in
From/To/etc.) here are the full headers, including the ARC:

    Delivered-To: XXX
    Received: by 2002:a05:7110:6345:b029:b5:5f87:1ec with SMTP id 
z5csp282895ged;
            Wed, 21 Apr 2021 03:28:05 -0700 (PDT)
    X-Google-Smtp-Source: 
ABdhPJywT2+UW/JgbBMP8Alcp45spnb1kq2v3V7kTNdC+4ZlK7DaYZhrTnQ5UKJm7Zi/4OA6THwz
    X-Received: by 2002:adf:f94c:: with SMTP id 
q12mr25722521wrr.283.1619000885618;
            Wed, 21 Apr 2021 03:28:05 -0700 (PDT)
    ARC-Seal: i=1; a=rsa-sha256; t=1619000885; cv=none;
            d=google.com <http://google.com>; s=arc-20160816;
            b=qC4YB6BWKyc7GP4BWlzf2v+8bAi22Yi22LHbCAWR+ogGubJ9D/EM+ugzH0LTRsLM2m
             
bDDRfbQABWgSOfeQzXXaXNjL+u3+vrXfiMja0UAAkwXHzBq5OoGJ32Sx5tQjxr9KdgRV
             
A2ezZz0iA21lugPWvyHNefko5Su+3aJtQR5hmlQOOlTR4zXahamDbNBSKzwin1x6oV8j
             
Aw9A9VZt2g8GJ+X6SWW872XXlwMZgprzEnpDkAhDjfcocg9nF9dpZqJEjlQdem4cTH+b
             
IpwYbiXOFPEzsVZQ2vKMVd5AGF4Hz4YhMlSK/OyMdMYDt56qxC8i2LarGi9/MijOYUgX
             6VPA==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com 
<http://google.com>; s=arc-20160816;
            h=mime-version:thread-topic:message-id:cc:to:from:subject:date
             :user-agent:dkim-signature;
            bh=HolG/h/y9aE2cX2S1vc8LvIJywcyj+LKjbMzHE5dchc=;
            b=Y9xcdjqa0TZyBJclLyEmcniWKg/64SdOubjDZQOQOUhCz2zkzsqxyanQtSLyHBP1ka
             
nuohEQfwcihqrvfOTvki07i9uXlUAB/ZHPEwENk4idYPXpZEAb1YZwX8JfC5E/ojpD4f
             
ggJHsW4TKWaFtTH0GN7epGw2wlQVvvFNM8M3GcL/QtZMICFXQJnZudD4I4i+jjdXAl3v
             
19omLli0C1UZIyX89epn1zJeACwHApMv/JApNH7ksaHtzEEx2q+iYInaYYpIvezbhEGv
             
fBiiF4IFo97KOf5w9VWANDE4zgU78r4AQHhOhO/fXa3UzJbcAQTGfNRuL7Ljovr8/ymM
             7v5w==
    ARC-Authentication-Results: i=1; mx.google.com <http://mx.google.com>;
           dkim=pass header.i=@p27.eu <http://p27.eu> header.s=mail 
header.b=mQXXt3xe;
           spf=neutral (google.com <http://google.com>: 217.72.192.73 is 
neither permitted nor denied by best guess record for domain of 
bonj...@simonpapon.com <mailto:bonj...@simonpapon.com>) 
smtp.mailfrom=bonj...@simonpapon.com <mailto:bonj...@simonpapon.com>;
           dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mobilitains.fr 
<http://mobilitains.fr>
    Return-Path: <XXX>
    Received: from mout.kundenserver.de <http://mout.kundenserver.de> 
(mout.kundenserver.de <http://mout.kundenserver.de>. [217.72.192.73])
            by mx.google.com <http://mx.google.com> with ESMTPS id 
j12si2247579wmq.140.2021.04.21.03.28.05
            for <XXX>
            (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
            Wed, 21 Apr 2021 03:28:05 -0700 (PDT)
    Received-SPF: neutral (google.com <http://google.com>: 217.72.192.73 is 
neither permitted nor denied by best guess record for domain of 
bonj...@simonpapon.com <mailto:bonj...@simonpapon.com>) client-ip=217.72.192.73;
    Authentication-Results: mx.google.com <http://mx.google.com>;
           dkim=pass header.i=@p27.eu <http://p27.eu> header.s=mail 
header.b=mQXXt3xe;
           spf=neutral (google.com <http://google.com>: 217.72.192.73 is 
neither permitted nor denied by best guess record for domain of 
bonj...@simonpapon.com <mailto:bonj...@simonpapon.com>) 
smtp.mailfrom=bonj...@simonpapon.com <mailto:bonj...@simonpapon.com>;
           dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mobilitains.fr 
<http://mobilitains.fr>
    Received: from [217.72.192.67] ([217.72.192.67]) by mx.kundenserver.de 
<http://mx.kundenserver.de> (mxeue110 [217.72.192.67]) with ESMTPS (Nemesis) id 
1Mkoav-1lvFYR407T-00mIMK for <simon....@gmail.com 
<mailto:simon....@gmail.com>>; Wed, 21 Apr 2021 12:28:05 +0200
    Received: from nantes-m1.p27.eu <http://nantes-m1.p27.eu> 
([172.105.247.37]) by mx.kundenserver.de <http://mx.kundenserver.de> (mxeue110 
[217.72.192.67]) with ESMTPS (Nemesis) id 1MJU9W-1lFHn23zxY-00JsAh for 
<bonj...@simonpapon.com <mailto:bonj...@simonpapon.com>>; Wed, 21 Apr 2021 
12:28:04 +0200
    Received: from [192.168.1.35] (176-139-184-203.abo.bbox.fr 
<http://176-139-184-203.abo.bbox.fr> [176.139.184.203]) (using TLSv1.2 with 
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a 
certificate) (Authenticated sender: gae...@mobilitains.fr 
<mailto:gae...@mobilitains.fr>) by nantes-m1.p27.eu <http://nantes-m1.p27.eu> 
(Postfix) with ESMTPSA id 37F1AA148D; Wed, 21 Apr 2021 10:28:04 +0000 (UTC)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=p27.eu 
<http://p27.eu>; s=mail; t=1619000884; 
bh=cgbJn61eT58DYGGnJ+KiFz0hVfhG2B9PPsSj7PWJcmA=; h=Date:Subject:From:To:CC; 
b=mQXXt3xeT5/lLgnrBRhKpGn4BspBQv7xH7azTepVckHOKDtSm+wjPJHYp9zJ/XCMo
         VKwY2/nVojhyZZN1jlO9X81++485rqxuTxPZMlUKtFxcUhIML1cA2cd8gOdtRsZiVt
         7F9YswqymNrUkNx6YBX8/EigYj71MjeFidOYSVOcLD2XgHZCfh6Y9XaADu8ISBJlRo
         n8APKzaDP2YOwdxNOTve7NH2N7/LDgVJIWEeEj9HTaJeztkx+fVnmpx+xlAK0NoTQ0
         STgz5ZQozL6y80RXW9fF2p4K9MwxffordnEgQLGuFWtIujwg8abIM+WjM+C1vnflYh
         CcxvkmEFozsAw==
    [MUA headers here]

-- 
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/
http://mobilitains.fr/