On 23/08/2021 14:02, Jens Hoffrichter wrote:
Hi,
I cannot find a previous discussion about this topic here on the mailing list.
We are running postfix instances for a big corporation, which delivers
to MS Exchange / Exchange online backends. We now have gotten the
requirement to mark all e-mails coming from external senders to mark
in the subjects.
I'm quite clear how to implement this, we have the infrastructure in place.
I'm looking more for some experiences and pros/cons for doing this in
postfix, or in Exchange. It will come nevertheless, I'm just looking
to minimize damage and impact for the end user, and where to do this
best.
Has anyone doing this experienced problems with S/MIME mail? Does this
maybe trigger spam detection, especially on an Exchange / Exchange
Online backend more? Does DKIM break?
It is likely to break DKIM where the Subject headerĀ is signed (which is
normal - and suggested by RFC6376 5.4). It will occasionally break DMARC
(where sender has not also setup SPF correctly or has not aligned it),
and such instances although rare could be serious (i.e. if sender's
domain specifies p=reject).
If you are confident that neither the Exchange backends, nor any of the
recipients' own software will be testing DMARC or DKIM after you have
mangled the subjects, and you have ensured that mangling comes after
DKIM/DMARC testing (if any) within your postfix instances, I guess it
might work, but it's ugly IMO.
A possible workaround: rather than modify the existing Subject header,
insert a new Subject header above it. Unless sender has oversigned for
the Subject header (which is not normal), DKIM (and therefore DMARC)
will still pass (I think) because DKIM tests against the first
chronologically (i.e. last physically) such header, yet your header
might be shown in the recipient's mail program as the Subject in place
of the original one. This would need to be tested and TBH I hope it
doesn't work.