SPF record is OK, see https://tools.ietf.org/html/rfc7208#section-3.3
mail.ru publishes strict DMARC policy (reject) to prevent spoofing. DMARC requires alignment between SPF authenticated domain and domain from RFC5322.From You perform SRS, so message you send is SPF-authenticated by your domain, but this domain is not aligned with mail.ru domain from RFC5322.From. Any redirecton makes SPF useless for DMARC. DKIM is intended to fix this problem, and the real issue here is you probably break DKIM signature of the message. It can happen if you change content of the message or headers, by e.g. modifying Subject: or adding something to mail body. Can you diff original message and forwarded one to find possible modifications? 02.11.2017 15:28, Benoit Panizzon пишет: > Dear List > > I have come across a strange problem. > > One of our customers is forwarding his emails to his google account. > > We do implement SRS to rewrite the envelope sender to match our SPF > record. > All other headers are preserved, in case they are DKIM Signed. > > Google rejects the emails with: > > <google destination email>: host > gmail-smtp-in.l.google.com[2a00:1450:4013:c00::1b] said: 550-5.7.1 > Unauthenticated email from mail.ru is not accepted due to domain's > 550-5.7.1 DMARC policy. Please contact the administrator of mail.ru > domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 > https://support.google.com/mail/answer/2451690 to learn about the > 550 5.7.1 DMARC initiative. m43si134563edm.154 - gsmtp (in reply to end > of DATA command) > > Ok I have not yet stumbled over a lot of email senders using DMARC. So > I read on: https://en.wikipedia.org/wiki/DMARC > > Did I get that right? DMARC checks that the envelope-from and From: > header are 'aligned'? > > Well how the hell should that work when an email is being forwarded? > > SPF requires that I rewrite the envelope sender, DKIM requires that I > don't alter the signed From: Header, DMARC requires that I do alter the > From: Header? > > And where the heck does mail.ru publish it's DMARC policy via DNS? > > mail.ru has address 217.69.139.201 > mail.ru has address 94.100.180.201 > mail.ru has address 217.69.139.200 > mail.ru has address 94.100.180.200 > mail.ru name server ns3.mail.ru. > mail.ru name server ns1.mail.ru. > mail.ru name server ns2.mail.ru. > mail.ru has SOA record ns1.mail.ru. hostmaster.mail.ru. 3300745053 900 > 900 604800 60 mail.ru mail is handled by 10 mxs.mail.ru. > mail.ru descriptive text "v=spf1 redirect=_spf.mail.ru" > mail.ru has IPv6 address 2a00:1148:db00:0:b0b0::1 > > _spf.mail.ru descriptive text "v=spf1 ip4:94.100.176.0/20 > ip4:217.69.128.0/20 i" "p4:128.140.168.0/21 ip4:188.93.58.0/24 > ip4:195.2" "11.128.0/22 ip4:188.93.59.0/24 ip4:128.140.170.0" "/24 > ip4:178.22.92.0/23 ip4:185.5.136.0/22 ip4:5." "61.237.0/26 > ip4:5.61.237.128/25 ip4:5.61.236.0/2" "4 ip4:5.61.239.143/32 > ip4:5.61.239.144/32 ~all" > > Well his somehow looks like a broken SPF record. Anyway ~all would > specify softfail and not reject. > > Can anyone help putting the puzzle together? > > How would one correctly implement email forwarding which works with all > kind of SPF, DKIM and DMARC Variants? > > And yes I know, email forwarding is considered bad(tm), but it is still > widely used. > > -Benoît Panizzon- -- Vladimir Dubrovin @Mail.Ru _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
