Re: Forward to gmail and DMARC

2017-07-17 Thread A. Schulze 


Am 17.07.2017 um 09:48 schrieb Alex JOST:

> AFAIK Authenticated Received Chain (ARC) was designed for exactly this use 
> case. Wondering if anyone has some experience with it or knows if Gmail is 
> already honouring ARC-headers.

yes, there are multiple ARC implementations between alpha and production state.

a good entry for further information is http://arc-spec.org/
I personally work with OpenARC which is more alpha state.

At IETF 99 there was a Hackathon last weekend. People also worked on ARC.
(https://mailarchive.ietf.org/arch/msg/dmarc/CnIGMxYfiyuquzvr_KZ_uCvRW8I)

Andreas

Re: Forward to gmail and DMARC

2017-07-17 Thread Alex JOST 

Am 16.07.2017 um 02:55 schrieb Peter:

On 14/07/17 08:06, @lbutlr wrote:


I forward mail to a gmail user, but there are a lot of bounces from
gmail. I don't honestly care about the ones that google says are
spam,


You should.  When Google sees SPAM coming form your server it will
affect your server's IP reputation with Google and eventually cause mail
from your server to go to Spam folder or you get blacklisted, etc.


but recently I'm also getting DMARC failures on Facebook
mails.


Right, DMARC makes the situation worse.  The only way to get around this
is to completely own the message by rewriting the envelope sender and
From: header to come from your domain.  Of course this alters the
content of the message and will likely cause DKIM to fail, so you'll
need to address that as well.  If you've successfully managed to do this
then you'll be even more embroiled in making your server look like a
source of any SPAM that gets relayed through it in this method.


AFAIK Authenticated Received Chain (ARC) was designed for exactly this 
use case. Wondering if anyone has some experience with it or knows if 
Gmail is already honouring ARC-headers.


--
Alex JOST

Re: Forward to gmail and DMARC

2017-07-16 Thread A. Schulze 


Am 16.07.2017 um 02:55 schrieb Peter:
> When Google sees SPAM coming form your server it will
> affect your server's IP reputation with Google

"your server's IP" has to be clarified:
as far as I know it's /32 for IPv4 and /64 for IPv6 ...

Andreas

Re: Forward to gmail and DMARC

2017-07-15 Thread Peter 
On 14/07/17 08:06, @lbutlr wrote:
> 
> I forward mail to a gmail user, but there are a lot of bounces from
> gmail. I don't honestly care about the ones that google says are
> spam,

You should.  When Google sees SPAM coming form your server it will
affect your server's IP reputation with Google and eventually cause mail
from your server to go to Spam folder or you get blacklisted, etc.

> but recently I'm also getting DMARC failures on Facebook
> mails.

Right, DMARC makes the situation worse.  The only way to get around this
is to completely own the message by rewriting the envelope sender and
From: header to come from your domain.  Of course this alters the
content of the message and will likely cause DKIM to fail, so you'll
need to address that as well.  If you've successfully managed to do this
then you'll be even more embroiled in making your server look like a
source of any SPAM that gets relayed through it in this method.

> The only thing that I can think to do is disable the forwarding and
> tell the user to grab mail via POP3, but that means enabling POP3
> which I'd rather not do.

This is actually the only solution that will work without making you
alter the contents of the message significantly and make you look like a
source of SPAM.  this is one of the few exceptions where I will say to
go ahead and use POP3.

> Gmail does not, IFAIK, allow you to combine
> your mail with another IMAP account.

Correct, Google will fetch from POP3 but not from IMAP.  You pretty much
need to do it with POP3.


Peter

Re: Forward to gmail and DMARC

2017-07-15 Thread A. Schulze 


Am 15.07.2017 um 00:15 schrieb @lbutlr:
> On 14 Jul 2017, at 09:41, Dominic Raferd  wrote:
>> Me:
>>> Automated? Or is that something you do manually?
>>
>> Yes I have it automated
> 
> Oh, we'll that would be nifty to see what you've done if it's not too much 
> trouble.
> 

+1

Re: Forward to gmail and DMARC

2017-07-14 Thread @lbutlr 
On 14 Jul 2017, at 09:41, Dominic Raferd  wrote:
> Me:
>> Automated? Or is that something you do manually?
> 
> Yes I have it automated

Oh, we'll that would be nifty to see what you've done if it's not too much 
trouble.

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Forward to gmail and DMARC

2017-07-14 Thread Dominic Raferd 
On 14 July 2017 at 16:21, @lbutlr  wrote:

> On 13 Jul 2017, at 15:05, Dominic Raferd  wrote:
> > On 13 July 2017 at 21:06, @lbutlr  wrote:
> >
> > I forward mail to a gmail user, but there are a lot of bounces from
> gmail. I don't honestly care about the ones that google says are spam, but
> recently I'm also getting DMARC failures on Facebook mails.
> >
> > Again, not critical, but a bit annoying.
> >
> > The only thing that I can think to do is disable the forwarding and tell
> the user to grab mail via POP3, but that means enabling POP3 which I'd
> rather not do. Gmail does not, IFAIK, allow you to combine your mail with
> another IMAP account.
> >
> > Any other ideas?
> >
> > ​If you use openDMARC on your own server then rejections by an onward
> mailserver (e.g. Gmail) on the grounds of DMARC failure should only occur
> when the sender has p=reject DMARC policy and is relying on SPF without
> DKIM (or with bad DKIM).
>
> I have to say, I'd be surprised if this is was Facebook was doing, but I
> haven't even looked at DMARC for myself. It's just a milter, yes? And
> required DKIM?
>

​It's a milter, and runs after the opendkim milter. I haven't seen such
behaviour by Facebook, only a few (not all) marketing emails from Tesco (UK
supermarket chain) and a few (again, not all) from Her Majesty's Revenue
and Customs (go figure).​ Most senders with p=reject DMARC policies
understand how to use DKIM and do so.


> > My solution for such cases - which are few - is to trap the DMARC
> failure message from Gmail and then resend the original email as an
> attachment.
>
> Automated? Or is that something you do manually?


Yes I have it automated

Re: Forward to gmail and DMARC

2017-07-14 Thread @lbutlr 
On 13 Jul 2017, at 15:05, Dominic Raferd  wrote:
> On 13 July 2017 at 21:06, @lbutlr  wrote:
> 
> I forward mail to a gmail user, but there are a lot of bounces from gmail. I 
> don't honestly care about the ones that google says are spam, but recently 
> I'm also getting DMARC failures on Facebook mails.
> 
> Again, not critical, but a bit annoying.
> 
> The only thing that I can think to do is disable the forwarding and tell the 
> user to grab mail via POP3, but that means enabling POP3 which I'd rather not 
> do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP 
> account.
> 
> Any other ideas?
> 
> ​If you use openDMARC on your own server then rejections by an onward 
> mailserver (e.g. Gmail) on the grounds of DMARC failure should only occur 
> when the sender has p=reject DMARC policy and is relying on SPF without DKIM 
> (or with bad DKIM).

I have to say, I'd be surprised if this is was Facebook was doing, but I 
haven't even looked at DMARC for myself. It's just a milter, yes? And required 
DKIM?

> My solution for such cases - which are few - is to trap the DMARC failure 
> message from Gmail and then resend the original email as an attachment.

Automated? Or is that something you do manually?

-- 
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Re: Forward to gmail and DMARC

2017-07-13 Thread Dominic Raferd 
On 13 July 2017 at 21:06, @lbutlr  wrote:

>
> I forward mail to a gmail user, but there are a lot of bounces from gmail.
> I don't honestly care about the ones that google says are spam, but
> recently I'm also getting DMARC failures on Facebook mails.
>
> Again, not critical, but a bit annoying.
>
> The only thing that I can think to do is disable the forwarding and tell
> the user to grab mail via POP3, but that means enabling POP3 which I'd
> rather not do. Gmail does not, IFAIK, allow you to combine your mail with
> another IMAP account.
>
> Any other ideas?


​If you use openDMARC on your own server then rejections by an onward
mailserver (e.g. Gmail) on the grounds of DMARC failure should only occur
when the sender has p=reject DMARC policy and is relying on SPF without
DKIM (or with bad DKIM). My solution for such cases - which are few - is to
trap the DMARC failure message from Gmail and then resend the original
email as an attachment.