SRS is usually fairly trivial these days, but DMARC changes things.
While SRS is doing fine for our users when forwarding email to Gmail,
when auth fails and DMARC = reject Google will tell you pretty plainly
that they're probably not going to accept it:
https://support.google.com/mail/answer/2451690
"For example, eBay and PayPal publish a policy requiring all of their
mail to be authenticated in order to appear in someone's inbox. In
accordance with their policy, Google rejects all messages from eBay or
PayPal that aren't authenticated."
It's my finding that at scale, there's no silver bullet to ensure that
100% of emails you forward are going to be accepted by Google, or anyone
really. That's why anyone who considers their inbox mission critical
needs to rely on their inbox provider, and not a third party accepting
email from their inbox provider. Most users won't have a complaint about
this, they won't even notice what wasn't accepted when forwarding (and
often didn't really want whatever it was anyway). But that's because
most users don't consider their personal inbox to be mission critical,
and most users with a mission critical inbox use their work email system
rather than forward everything from c...@fortune500company.tld to
babybearbobca...@gmail.com.
On 2023-09-13 01:44, Jason R Cowart via mailop wrote:
Hi Brandon,
Thank you for the responses. I'll send you some examples off list of
successes and failures from the exact same sender and final recipient,
both Gmail users. I'd very much like to understand why we are seeing
what appears to be an increase in DKIM validation failures in order to
determine what can be done to improve the situation. We are aware of
DKIM signatures using the strict canonicalization option failing
validation after forwarding, but in these examples the relaxed
canonicalization was used.
We do not rewrite the envelope sender as we forward. I'm not convinced
the non-trivial effort needed to shift to rewriting the sender would
yield a durable solution to this problem, as it would not help with a
DMARC check since the resulting SPF pass will be out of alignment with
the sender in the From: header. It would seem we're dependent on the
initial DKIM signature passing validation. I'd welcome any other
perspectives on the topic.
Best,
Jason
From: Brandon Long <bl...@google.com>
Date: Tuesday, September 12, 2023 at 8:29 PM
To: Jason R Cowart <jcow...@stanford.edu>
Cc: mailop@mailop.org <mailop@mailop.org>
Subject: Re: [mailop] Authentication Bounces by Gmail
Looking at the messages from that IP getting that rejection message,
I'm seeing a lot of DKIM body hash did not verify, I'd also verify that
your system isn't modifying the messages that it is forwarding.
Brandon
On Tue, Sep 12, 2023 at 8:20 PM Brandon Long <bl...@google.com> wrote:
That message did not have a DKIM header ... or was so garbled that we
didn't extract it.
Due to DKIM replay, we may spam reject forwarded messages that DKIM
verify but not SPF, but those would not have that rejection message.
And yes, we are continuing to ramp no auth, no entry.
I'm sure I've had a long explanation on here in the past year, but the
short answer is if the message is not DKIM valid and you're forwarding,
you should rewrite
the MAIL FROM to a domain you own that will SPF authn the message...
and try not to forward spam.
Brandon
On Tue, Sep 12, 2023 at 6:00 PM Jason R Cowart via mailop
<mailop@mailop.org> wrote:
We are seeing an increasing number of bounces by Gmail related to
failed authentication checks. The bounces include language like:
<<< 550-5.7.26 This mail is unauthenticated, which poses a security
risk to
the
<<< 550-5.7.26 sender and Gmail users, and has been blocked. The sender
must
<<< 550-5.7.26 authenticate with at least one of SPF or DKIM. For this
message,
<<< 550-5.7.26 DKIM checks did not pass and SPF check for [mcn.org [1]]
did not
pass
<<< 550-5.7.26 with ip: [67.231.157.125]. The sender should visit
<<< 550-5.7.26
https://support.google.com/mail/answer/81126#authentication [2]
for
<<< 550 5.7.26 instructions on setting up authentication.
z6-20020a05622a028600b00403a8e58423si1377805qtw.448 - gsmtp
554 5.0.0 Service unavailable
This is occurring in situations where our users forward their mail to a
personal Gmail account. SPF checks will of course fail in the
scenario, but DKIM checks should pass. In fact, they most often do
pass--users impacted by this are only seeing a small subset of their
mail from a given sender bounced (which often times will be a Gmail
sender). In cases where the user retains a copy locally we've been
able to verify that the DKIM signature was present and was successfully
validated by our system.
Is anyone else experiencing this?
Is anyone from Google could reach out to me off-list to discuss that
would be much appreciated.
Best,
Jason Cowart
Stanford University IT
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop [3]
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
Links:
------
[1]
https://urldefense.com/v3/__http:/mcn.org__;!!G92We9drHetJ8EofZw!bcfdgTyulTUmQKo1vrF--AjiXti3tNVYB_Md2jNzKH5HdHgzwQrWe10SlqFuXZpImNccCVLZ-KAaRcSj$
[2]
https://urldefense.com/v3/__https:/support.google.com/mail/answer/81126*authentication__;Iw!!G92We9drHetJ8EofZw!bcfdgTyulTUmQKo1vrF--AjiXti3tNVYB_Md2jNzKH5HdHgzwQrWe10SlqFuXZpImNccCVLZ-FftiJ0V$
[3]
https://urldefense.com/v3/__https:/list.mailop.org/listinfo/mailop__;!!G92We9drHetJ8EofZw!bcfdgTyulTUmQKo1vrF--AjiXti3tNVYB_Md2jNzKH5HdHgzwQrWe10SlqFuXZpImNccCVLZ-DcfcSNP$_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
