On 8/02/24 14:23, Alex via Postfix-users wrote:
I'm hoping I could ask for some advice. We have a pretty
large percentage of users who forward mail through our systems to
personal Gmail accounts. Sometimes it is mail from bulk senders like
mailgun and lanyon/cvent.
Before answering your actual questions I'll give a quick note of
caution. When you forward mail that means you will also forward SPAM.
To at least some servers this makes it at least appear as if SPAM is
originating from your server and could result in your servers' IP
address(es) being added to DNSRBLs. That said...
Would ARC help here,
It won't hurt, and Google seems to be advising to use it for forwarding.
ARC is basically telling the recipient's MTA that your MTA
legitimately received the message and indicating whether it passed or
failed SPF, DKIM and DMARC to your server. Do note that ARC requires
that the recipient server somehow trusts your server so it does mean
that you're taking some amount of responsibility for the messages you're
forwarding and the quality of those messages could determine how much
other servers will accept your ARC results.
or is DKIM enough for DMARC alignment with
forwarded messages?
It can be, but this depends entirely on the message being properly DKIM
signed by the original sender, something which is entirely out of your
control, so it's safe to say that not all messages will pass DMARC
because of DKIM because not all senders will have DKIM properly
configured, or configured at all. Also DKIM relies on you not altering
any of the message headers or body used for the signature, so your own
server could potentially invalidate the DKIM signature even if it is
initially valid. You can sign the messages yourself but that won't help
for DMARC alignment because DMARC requires a DKIM signature that is
signed by the From: header domain in order to accept it.
Perhaps ARC will help in those cases where DKIM
fails with forwarded messages?
Again, it might, it depends on the recipient MTA.
Is it used on the sending server or on
the relay?
DKIM has to be signed by the original sender, ARC is signed by the relay
(you).
Is it installed using a milter alongside openSPF/DKIM
using openarc?
It can be, yes.
I've also thought about implementing SRS over the years, but it has its
own problems, so I wondered if people were still implementing that?
SRS is simply changing the envelope sender so it aligns with one that
you control. It allows SPF to pass but won't help with DMARC because
your domain will not align with the From: header in the message.
My recommendations are as follows (other people's recommendations will
vary):
1. Don't forward mail.
2. If you must forward mail then relay it using a different IP address
to mail that originates from you, that way if the IP gets added to a
DNSRBL it at least should hopefully not affect the mail that you originate.
3. SPAM-filter mail before you forward it, be aggressive with this as
you really don't want to be forwarding SPAM. Note that some SPAM will
still get through.
4. ARC sign your forwarded mail.
5. Use SRS on forwarded mail.
This is in addition to all the other things you do for mail that you
originate (SPF, DKIM, DMARC, etc).
Good luck,
Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
