0

i have an active mail relay that is using aliases as a main tool, at some point we started to get bounces for some emails.

Source: somerandomsenderdomain.com
Destination: myemaildomain.com

        mailinglist1: myuser@gmail.com, myuser@myemaildomain.com

Actual Target: gmail.com

so typical email route will be like this:

info@somerandomsenderdomain.com -> mailinglist1@myemaildomain.com 
                                   (which should send the content to myuser@gmail.com)

in this scenario mails to myuser@gmail.com will bounce since they fail SPF and DKIM (i can't control it for the originating domain)

how can this be resolved ? this was working in the past and started bouncing probably to some hardeninging google mail relays.

example response (redacted):

myuser@gmail.com> (expanded from <mailinglist1@myemaildomain.com>): host gmail-smtp-in.l.google.com[142.250.27.27] said: 550-5.7.26 This message does not pass authentication checks (SPF and DKIM both 550-5.7.26 do not pass). SPF check for [somerandomsenderdomain.com] does not pass with ip: 550-5.7.26 [12.34.56.78].To best protect our users from spam, the message 550-5.7.26 has been blocked. Please visit 550-5.7.26 https://support.google.com/mail/answer/81126#authentication for more 550 5.7.26 information. j30-20020a170906105e00b008b12a1a900esi4119290ejj.1001 - gsmtp (in reply to end of DATA command) <

Would appreciate any thoughts and ideas.

Thanks.

DrunkMice
  • 1
  • 2
  • One thought i had to resolve this was that the postfix will rewrite the headers and forward to the gmail (this way it is "proxying" and i can control the DKIM / SPF of my server) and that the headers will show the original sender details and reply-to, but the mail will be sent from my server mail address (similar to mailing lists / google groups etc..) if i implement this i would like it to be only for 3rd party recipients so that the organization users will still see the original headers – DrunkMice Feb 15 '23 at 08:34
  • Do you know if the bounces only happen when the source sender domain has DMARC in reject policy? Authenticated Received Chain would be the ideal technology to set up. It will prove to the receiving server (GMAIL) that your server validated the Authentication-Results header: https://postmarkapp.com/blog/what-is-arc-or-authenticated-received-chain. Rewrite is mostly necessary for when the original sender does not implement DKIM signing, or, when the forwarding host changes any signed headers. – Reinto Feb 17 '23 at 12:36

0 Answers0