0

I run a virtual mail server that forwards emails to my domain to a Gmail address, and I use PostSRSd to rewrite the addresses. For example, if someone sends an email to john@mydomain.com, my mail server will rewrite the address (to something like otherguy-otherdomain.com@mydomain.com) and forward it to my email at john@gmail.com.

This rewriting is essential, because otherwise the forwarded emails will fail SPF checks. I'm not sure if it will fail DKIM if the address is not rewritten, but I assume it will.

PostSRSd works out well for us most of the time. Emails to our virtual domain pass SPF, DKIM and DMARC, which makes deliverability excellent. Here's the typical mail header for the checks:

Authentication-Results: mx.google.com;
   dkim=pass header.i=@bf08x.hubspotemail.net header.s=hs1 header.b=fFjMRTbn;
   dkim=pass header.i=@imago-images.de header.s=hs2-8105018 header.b=AHU209VN;
   spf=pass (google.com: domain of srs0=8nnb=bp=bf08x.hubspotemail.net=1axb6baq5yhbqc79kzmzee6yv7e5d09kmo07f2-john=mydomain.com@mydomain.com designates 123.234.123.124 as permitted sender) smtp.mailfrom="SRS0=8nNb=BP=bf08x.hubspotemail.net=1axb6baq5yhbqc79kzmzee6yv7e5d09kmo07f2-john=imago-images.de@mydomain.com";
   dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=imago-images.de

However, emails from a particular domain ichat.sp.edu.sg (this is the actual domain) never get delivered if they try to send emails to my domain, because the forwarding process causes it to fail Gmail's DMARC checks. Here is the mail header for one such mail:

Authentication-Results: mx.google.com;
   dkim=pass header.i=@ichatspedu.onmicrosoft.com header.s=selector2-ichatspedu-onmicrosoft-com header.b="LeXRlSh/";
   arc=pass (i=1 spf=pass spfdomain=ichat.sp.edu.sg dkim=pass dkdomain=ichat.sp.edu.sg dmarc=pass fromdomain=ichat.sp.edu.sg);
   spf=pass (google.com: domain of srs0=0ah0=bj=ichat.sp.edu.sg=elijahb.22@mydomain.com designates 123.234.123.124 as permitted sender) smtp.mailfrom="SRS0=0aH0=BJ=ichat.sp.edu.sg=ELIJAHB.22@mydomain.com";
   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sp.edu.sg

I'm not sure what causes DMARC to fail in this particular case. ChatGPT (as well as Postfix) says it has something to do with the DMARC records of sp.edu.sg, but I'm not very sure what it is. Can anyone help? And can I do anything on my end to alleviate this if sp.edu.sg does not do anything?

For reference, here is the TXT record for _dmarc.sp.edu.sg:

v=DMARC1; p=reject; rua=mailto:SPEDUSG_DMARC_Reports@sp.edu.sg, mailto:gp6phfil@ag.au.dmarcian.com; ruf=mailto:SPEDUSG_DMARC_Reports@sp.edu.sg; fo=1
John Doe
  • 323
  • 3
  • 16
  • 1
    The Google header does not mention a DKIM signature aligned with the `.sg` domain, did you expect one? – anx May 26 '23 at 13:26
  • @anx Do you mean that there is no DKIM signature for `sp.edu.sg` in the Google header? – John Doe May 26 '23 at 15:44
  • The problem with forwarding email to Google is if you receive any spam, as when it reaches Google's servers it'll show as coming from YOUR server and YOUR email domain, not the original sender, which then risks you getting blacklisted as a spam source. I've seen it happen multiple times with customers who had similar setups (against our advice). Better to enable email collection from your server, and allow Google to collect it from you with the original headers intact so they know what came from where. – Keith Langmead May 26 '23 at 18:54
  • Do you have a different option for forwarding, such as if Dovecot is installed use a `sieve` rule? – Paul May 28 '23 at 11:41

2 Answers2

1

DMARC not only requires that SPF or DKIM PASS, but it also requires the domains used by either one of those two protocols to ALIGN with the domain found in the “From” address. Only then will DMARC PASS.

DKIM: ichatspedu.onmicrosoft.com

SPF: ichat.sp.edu.sg

header.from=sp.edu.sg

so this wont work. I assume in the mail that worked you redacted a imago-images.de email address in the SPF (elijahb.22@mydomain.com) ?

try adding a subdomain TXT DMARC for ichat.sp.edu.sg rather than rely on default (empty) sp tag on parent domain.

AngryCarrotTop
  • 288
  • 4
  • 11
  • For the `imago-images.de` email address, do you mean for the `header.from`? The `header.from` is the original value. I only redacted the IP address of my mail server and the original domain. For the email, what you mean is that either the `header.from` must be `ichat.sp.edu.sg` or the `header.from` must be from `ichat.sp.edu.sg` correct? And to get the correct `header.from` the `_dmarc.ichat.sp.edu.sg` address must contain a DMARC entry? – John Doe May 26 '23 at 15:41
  • I've managed to fix this thanks to your input. The PostSRSd application actually documents the fix under PostSRSd under the last question, and it has the exact same solution as yours. – John Doe Jun 05 '23 at 13:04
1
Why DMARC failed

In the failed header, neither SPF nor DKIM domains aligns with ichat.sp.edu.sg, and this caused DMARC to fail.

It seems they don't sign DKIM using their own domain, and relies on SPF domain to pass DMARC alignment, which were rewritten by your forwarder. (Or perhaps their mail servers are not properly configured at all and DMARC fails with or without your forwarder.)

Explanations for DMARC alignment can be fonud on Wikipedia. Basically it states the domain in a message's from header must match one of the domains in SPF or DKIM.

Further, any mails that relies on SPF domain and not DKIM domain to pass DMARC, won't pass DMARC after your forwarder.

I don't think there's anything you can do, if you are not from ichat.sp.edu.sg.

Better ways

... to achieve what you are trying to do would be:

  • To designate your server as a Gmail inbound mail gateway, which requires Google Workspace subscriptions. Google won't test DMARC for this.

  • Or you can try programmatically insert forwarded mails using Gmail API. You won't be using SMTP, and no need passing any tests.

LZY
  • 11
  • 2