Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF
Why is that, when 90% ++ of the transactions are between a limited set of providers, and even after that, within the long tail, there will be a similar bell curve so that most of your regular recipients that use ARC will eventually trust you? Beyond that, converting authentication into “trust” should not in any case scale. From: mailop on behalf of Grant Taylor via mailop Date: Tuesday, 23 April 2024 at 9:35 AM To: mailop@mailop.org Subject: Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF On 4/22/24 09:16, Matus UHLAR - fantomas via mailop wrote: > I'm afraid this is very long term solution - the recipient needs to > trust your ARC signatures. IMHO the "the recipient needs to trust your ARC signature" is ARC's Achilles' heel. I have not seen any way to get around this -- what I call -- priming problem. -- Grant. . . . ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF
On 4/22/24 09:16, Matus UHLAR - fantomas via mailop wrote: I'm afraid this is very long term solution - the recipient needs to trust your ARC signatures. IMHO the "the recipient needs to trust your ARC signature" is ARC's Achilles' heel. I have not seen any way to get around this -- what I call -- priming problem. -- Grant. . . . smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF
It appears that Paul Menzel via mailop said: > The following message to was undeliverable. > The reason for the problem: > 5.3.0 - Other mail system problem 550-'5.7.26 This mail has been >blocked because the sender is unauthenticated.\n5.7.26 Gmail requires >all senders to authenticate with either SPF or DKIM.\n5.7.26 \n5.7.26 As others said, SPF or DKIM has to pass. The easiest workaround is to put your own enveope address on forwarded mail, e.g. forwar...@molgen.mpg.de and that will often be enough to make Gmail accept it. >message, when another server is sending emails from @molgen.mpg.de. We >do not want to set up DKIM due to the increased message size, and >complexity of key handling. Is there an alternative? Um, find someone with the modest skills needed to do DKIM signing? I'm with Atro, the message size argument is silly, and the key management is not that hard. I'm sure I'm not the only one-person shop here who does it all by myself. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF
But In this case, envelope sender domain is different from domain in header From: and then SPF checks don't apply to DMARC. So, if you want to have proper DKIM, you must set From: to your domain and DKIM-sign it. To be finicky: DKIM does not care what domain is used in its d= parameter. The alignment with the From: domain is a DMARC requirement, not DKIM. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net mast:@dcrocker@mastodon.social ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF
On 22.04.24 10:00, Marco Moock via mailop wrote: Google makes forwarding really hard. They want you to set up ARC. https://support.google.com/a/answer/13198639?sjid=6036584522181943107-EU I know this is nasty, but this are Google's rules. Forwarded mails will always have an SPF failure, DKIM will be valid. On 22.04.24 10:39, Matus UHLAR - fantomas via mailop wrote: The (ugly but working) possibility is to rewrite From: address to one @uni-potsdam.de and dkim-sign that one. It's the same mechanism this mailing list uses to deliver mail. On 22.04.24 11:03, Laurent S. via mailop wrote: Implementing ARC is the best long term solution, but I understand it's hard. @Matus, rewriting From and DKIM is only necessary if you change anything to the mail that would make the original DKIM fail (changing subject or adding a disclaimer in the body). If you don't, then leaving DKIM and header From intact is probably better. It's also necessary if the From: domain nas no DKIM signature and DMARC policy is set to quarantine/reject, or the recipient enforces similar restrictions (e.g. gmail) ... and this seems to be OP's problem, since the DKIM did not pass. What I would rather recommend to change is the envelope MAIL FROM. If you switch it to a @uni-potsdam.de including some SRS magic, that should cover most issues. But In this case, envelope sender domain is different from domain in header From: and then SPF checks don't apply to DMARC. So, if you want to have proper DKIM, you must set From: to your domain and DKIM-sign it. It's an ugly solution but it may work, at least I made it work already. But then again, ARC is better longer term. I'm afraid this is very long term solution - the recipient needs to trust your ARC signatures. Yes, it's worth trying. You can still combine both and try once in a while if the ARC is enough. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF
On 22.04.24 10:39, Matus UHLAR - fantomas via mailop wrote: > On 22.04.24 10:00, Marco Moock via mailop wrote: >> Google makes forwarding really hard. They want you to set up ARC. >> https://support.google.com/a/answer/13198639?sjid=6036584522181943107-EU >> I know this is nasty, but this are Google's rules. >> >> Forwarded mails will always have an SPF failure, DKIM will be valid. > > The (ugly but working) possibility is to rewrite From: address to one > @uni-potsdam.de and dkim-sign that one. > > It's the same mechanism this mailing list uses to deliver mail. > Implementing ARC is the best long term solution, but I understand it's hard. @Matus, rewriting From and DKIM is only necessary if you change anything to the mail that would make the original DKIM fail (changing subject or adding a disclaimer in the body). If you don't, then leaving DKIM and header From intact is probably better. What I would rather recommend to change is the envelope MAIL FROM. If you switch it to a @uni-potsdam.de including some SRS magic, that should cover most issues. But then again, ARC is better longer term. Cheers, Laurent ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF
> The SPF of molgen.mpg.de has `~all` (soft fail): > > $ dig txt molgen.mpg.de +short > "v=spf1 ip4:141.14.0.0/16 ~all" But this is irrelevant. The envelope-from of a forwarded message is the original one - if you do not deliberately rewrite it - and in such a case, the SPF that is evaluated at the forwarding destination should be that of the original sender, nothing to do with yours. As for DKIM, if the forwarded message did not contain a DKIM signature to begin with, then your options would be 1) continuing to occasionally forward mail that is not DKIM signed at all or 2) figuring out a way to sign what is essentially random email from random third parties using your reputation, which may not be what you wanted either. > We do not want to set up DKIM due to the increased message size, Now there's a straw man if I ever saw any. If you're worrying about adding 5-15 lines to messages that frequently contain hundreds, thousands of lines, you have the luxury of having problems that nobody else has. > and complexity of key handling. Is there an alternative? You can do it. A man+dog shop (looking at the mirror) can do it, so a university department with people on the IT payroll can do it. (But you may still not want to sign mail sent by random folks on the Internet with your domain.) -- Atro Tossavainen, Chairman of the Board Infinite Mho Oy, Helsinki, Finland tel. +358-44-5000 600, http://www.infinitemho.fi/ ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF
On 22.04.24 09:28, Paul Menzel via mailop wrote: A users sends a message to x...@uni-potsdam.de, and the user X there has a forward set up to their y...@gmail.com address. Now smtpin.uni-potsdam.de returns a delivery failure from Google Mail: The following message to was undeliverable. The reason for the problem: The SPF of molgen.mpg.de has `~all` (soft fail): $ dig txt molgen.mpg.de +short "v=spf1 ip4:141.14.0.0/16 ~all" and I would expect `~all` to result in Google Mail not rejecting the message, when another server is sending emails from @molgen.mpg.de. We do not want to set up DKIM due to the increased message size, and complexity of key handling. Is there an alternative? On 22.04.24 10:00, Marco Moock via mailop wrote: Google required at least one of SPF or DKIM that will pass. Softfail (~) or neutral (?) aren't sufficient. You can't sign DKIM for external domains, so if external mail goes in and is being forwarded, the DKIM signature is still valid, but there are situations when there is no DKIM signature. You can't sign such a message because you don't have control over the DNS of the foreign domain. Google makes forwarding really hard. They want you to set up ARC. https://support.google.com/a/answer/13198639?sjid=6036584522181943107-EU I know this is nasty, but this are Google's rules. Forwarded mails will always have an SPF failure, DKIM will be valid. The (ugly but working) possibility is to rewrite From: address to one @uni-potsdam.de and dkim-sign that one. It's the same mechanism this mailing list uses to deliver mail. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Google Mail rejects forwarded email despite `~all` in SPF
Am 22.04.2024 um 09:28:20 Uhr schrieb Paul Menzel via mailop: > The SPF of molgen.mpg.de has `~all` (soft fail): > > $ dig txt molgen.mpg.de +short > "v=spf1 ip4:141.14.0.0/16 ~all" > > and I would expect `~all` to result in Google Mail not rejecting the > message, when another server is sending emails from @molgen.mpg.de. > We do not want to set up DKIM due to the increased message size, and > complexity of key handling. Is there an alternative? Google required at least one of SPF or DKIM that will pass. Softfail (~) or neutral (?) aren't sufficient. You can't sign DKIM for external domains, so if external mail goes in and is being forwarded, the DKIM signature is still valid, but there are situations when there is no DKIM signature. You can't sign such a message because you don't have control over the DNS of the foreign domain. Google makes forwarding really hard. They want you to set up ARC. https://support.google.com/a/answer/13198639?sjid=6036584522181943107-EU I know this is nasty, but this are Google's rules. Forwarded mails will always have an SPF failure, DKIM will be valid. -- Gruß Marco Send unsolicited bulk mail to 1713770900mu...@cartoonies.org ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Google Mail rejects forwarded email despite `~all` in SPF
Dear mail operators, A users sends a message to x...@uni-potsdam.de, and the user X there has a forward set up to their y...@gmail.com address. Now smtpin.uni-potsdam.de returns a delivery failure from Google Mail: The following message to was undeliverable. The reason for the problem: 5.3.0 - Other mail system problem 550-'5.7.26 This mail has been blocked because the sender is unauthenticated.\n5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.\n5.7.26 \n5.7.26 Authentication results:\n5.7.26 DKIM = did not pass\n5.7.26 SPF [molgen.mpg.de] with ip: [141.89.64.18] = did not pass\n5.7.26 \n5.7.26 For instructions on setting up authentication, go to\n5.7.26https://support.google.com/mail/answer/81126#authentication me22-20020a170906aed600b00a5250f9fcf4si1870841ejb.898 - gsmtp' Reporting-MTA: dns; smtpin.uni-potsdam.de Final-Recipient:rfc822;y...@gmail.com Action: failed Status: 5.0.0 (permanent failure) Remote-MTA: dns; [142.251.18.27] Diagnostic-Code: smtp; 5.3.0 - Other mail system problem 550-'5.7.26 This mail has been blocked because the sender is unauthenticated.\n5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM.\n5.7.26 \n5.7.26 Authentication results:\n5.7.26 DKIM = did not pass\n5.7.26 SPF [molgen.mpg.de] with ip: [141.89.64.18] = did not pass\n5.7.26 \n5.7.26 For instructions on setting up authentication, go to\n5.7.26https://support.google.com/mail/answer/81126#authentication me22-20020a170906aed600b00a5250f9fcf4si1870841ejb.898 - gsmtp' (delivery attempts: 0) The SPF of molgen.mpg.de has `~all` (soft fail): $ dig txt molgen.mpg.de +short "v=spf1 ip4:141.14.0.0/16 ~all" and I would expect `~all` to result in Google Mail not rejecting the message, when another server is sending emails from @molgen.mpg.de. We do not want to set up DKIM due to the increased message size, and complexity of key handling. Is there an alternative? Kind regards, Paul ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop