In article <2e056b35-f783-dccb-b319-31c35d002...@dcrocker.net>, Dave Crocker via dmarc-discuss <d...@dcrocker.net> wrote: >On 6/21/2020 7:57 AM, Matthäus Wander via dmarc-discuss wrote: >> This sounds like the recipient is forwarding emails to Gmail. The DKIM >> signature is valid because it originates from your server. > >Only if the forwarding process makes no changes that break the DKIM >signature. In theory, that's easy. In practice, it's a very narrow >category of forwarding behaviors that accomplish this.
It's narrow but it's pretty common these days for people to forward their mail from other places to gmail. A lot of my users do it. Unfortunately I have found a dismaying number of places, particularly in the US goverment, publish DMARC p=reject and only use SPF, presumably because there's an official rule that they must do DMARC and this lets them check the box without doing any work. Needless to say, the forwards fail and I've walked most of them through the process to pull rather than push, configuring Gmail to pick up the mail from their local mailbox with POP. -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)