> And where the heck does mail.ru publish it's DMARC policy via DNS? dig txt _dmarc.mail.ru
David On 2 November 2017 at 13:28, Benoit Panizzon <benoit.paniz...@imp.ch> wrote: > Dear List > > I have come across a strange problem. > > One of our customers is forwarding his emails to his google account. > > We do implement SRS to rewrite the envelope sender to match our SPF > record. > All other headers are preserved, in case they are DKIM Signed. > > Google rejects the emails with: > > <google destination email>: host > gmail-smtp-in.l.google.com[2a00:1450:4013:c00::1b] said: 550-5.7.1 > Unauthenticated email from mail.ru is not accepted due to domain's > 550-5.7.1 DMARC policy. Please contact the administrator of mail.ru > domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 > https://support.google.com/mail/answer/2451690 to learn about the > 550 5.7.1 DMARC initiative. m43si134563edm.154 - gsmtp (in reply to end > of DATA command) > > Ok I have not yet stumbled over a lot of email senders using DMARC. So > I read on: https://en.wikipedia.org/wiki/DMARC > > Did I get that right? DMARC checks that the envelope-from and From: > header are 'aligned'? > > Well how the hell should that work when an email is being forwarded? > > SPF requires that I rewrite the envelope sender, DKIM requires that I > don't alter the signed From: Header, DMARC requires that I do alter the > From: Header? > > And where the heck does mail.ru publish it's DMARC policy via DNS? > > mail.ru has address 217.69.139.201 > mail.ru has address 94.100.180.201 > mail.ru has address 217.69.139.200 > mail.ru has address 94.100.180.200 > mail.ru name server ns3.mail.ru. > mail.ru name server ns1.mail.ru. > mail.ru name server ns2.mail.ru. > mail.ru has SOA record ns1.mail.ru. hostmaster.mail.ru. 3300745053 900 > 900 604800 60 mail.ru mail is handled by 10 mxs.mail.ru. > mail.ru descriptive text "v=spf1 redirect=_spf.mail.ru" > mail.ru has IPv6 address 2a00:1148:db00:0:b0b0::1 > > _spf.mail.ru descriptive text "v=spf1 ip4:94.100.176.0/20 > ip4:217.69.128.0/20 i" "p4:128.140.168.0/21 ip4:188.93.58.0/24 > ip4:195.2" "11.128.0/22 ip4:188.93.59.0/24 ip4:128.140.170.0" "/24 > ip4:178.22.92.0/23 ip4:185.5.136.0/22 ip4:5." "61.237.0/26 > ip4:5.61.237.128/25 ip4:5.61.236.0/2" "4 ip4:5.61.239.143/32 > ip4:5.61.239.144/32 ~all" > > Well his somehow looks like a broken SPF record. Anyway ~all would > specify softfail and not reject. > > Can anyone help putting the puzzle together? > > How would one correctly implement email forwarding which works with all > kind of SPF, DKIM and DMARC Variants? > > And yes I know, email forwarding is considered bad(tm), but it is still > widely used. > > -BenoƮt Panizzon- > -- > I m p r o W a r e A G - Leiter Commerce Kunden > ______________________________________________________ > > Zurlindenstrasse 29 Tel +41 61 826 93 00 > CH-4133 Pratteln Fax +41 61 826 93 01 > Schweiz Web http://www.imp.ch > ______________________________________________________ > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > -- -- My opinion is mine.
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop