I found their forwarding policy is somewhat strange. They changed the "to:" header address in the forwarded email to the destination address. For example, [email protected] writes to [email protected], this mail will be forwarded to [email protected] When gmail receives this email, the "to:" header is [email protected], rather than [email protected]. Thus this forwarding breaks DKIM, since most DKIM have "to:" header encrypted. And, 5x2.de does a valid SRS, so SPF has no contribution for DMARC. When DKIM fails, the final DMARC fails too. What google shows in their header:
SPF: PASS with IP 136.243.126.xx DKIM: 'FAIL' with domain foo.com DMARC: 'FAIL' So I am thinking 5x2.de should improve this for a better forwarding solution. Thanks.
