On Fri, Aug 13, 2021 at 10:44:31AM +0800, Ken N <k...@tls-mail.com> wrote:
> I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. > > This is DMARC setting of mail.ru: > > _dmarc.mail.ru. 164 IN TXT > "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai" > "lto:dmarc_...@corp.mail.ru" > > (please notice p=reject setting) > > When gmail receive the forwarded email from pobox, will it break DMARC? > since the message header showing sender is x...@mail.ru, but the SMTP talking > IP is pobox's IP address. > > Thank you. > -- > Ken N > https://lrblogs.com/ Maybe. It depends on lots of stuff. A DMARC check passes if either SPF or DKIM pass, but (for DMARC purposes), SPF only applies (and therefore can only pass) when the From: domain matches the envelope sender domain, and (for DMARC purposes) DKIM only applies (and therefore can only pass) when the From: domain matches the DKIM signing domain (d=). If pobox.com uses its own envelope sender when forwarding the email, then mail.ru's SPF doesn't apply (because it wouldn't be the envelope sender domain anymore). Instead, pobox.com's SPF applies (because it's now the envelope sender domain). But pobox.com's SPF doesn't apply to mail.ru's DMARC check. So SPF wouldn't contribute to a DMARC check for mail.ru. If pobox.com uses the original mail.ru envelope sender then mail.ru's SPF will apply and it will fail (because pobox.com won't be authorized by mail.ru's SPF). So it won't contribute to a DMARC check for mail.ru either. So, you can't count on SPF to get it through a DMARC check for mail.ru. The only other possibility is if the email was DKIM-signed by mail.ru as well. If it wasn't, then DMARC fails. If it was, and the email wasn't changed en route in any way that invalidated the DKIM signature, then DMARC passes. If the mail was modified too much, then DMARC fails, but if pobox.com is just forwarding, then it shouldn't have modified it in a way that matters to DKIM. And the DKIM signature has to have been signed with mail.ru's DKIM key. Any other signing domain doesn't apply for DMARC purposes. So, if it's DKIM-signed by mail.ru, and pobox.com just forwards it, and does nothing else other than adding headers along the way, then it'll probably pass a DMARC check for mail.ru. Otherwise, it won't. Having said all that, what gmail does with it upon arrival is entirely up to gmail. :-) cheers, raf