Re: Forward to gmail and DMARC
Am 17.07.2017 um 09:48 schrieb Alex JOST: > AFAIK Authenticated Received Chain (ARC) was designed for exactly this use > case. Wondering if anyone has some experience with it or knows if Gmail is > already honouring ARC-headers. yes, there are multiple ARC implementations between alpha and production state. a good entry for further information is http://arc-spec.org/ I personally work with OpenARC which is more alpha state. At IETF 99 there was a Hackathon last weekend. People also worked on ARC. (https://mailarchive.ietf.org/arch/msg/dmarc/CnIGMxYfiyuquzvr_KZ_uCvRW8I) Andreas
Re: Forward to gmail and DMARC
Am 16.07.2017 um 02:55 schrieb Peter: On 14/07/17 08:06, @lbutlr wrote: I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, You should. When Google sees SPAM coming form your server it will affect your server's IP reputation with Google and eventually cause mail from your server to go to Spam folder or you get blacklisted, etc. but recently I'm also getting DMARC failures on Facebook mails. Right, DMARC makes the situation worse. The only way to get around this is to completely own the message by rewriting the envelope sender and From: header to come from your domain. Of course this alters the content of the message and will likely cause DKIM to fail, so you'll need to address that as well. If you've successfully managed to do this then you'll be even more embroiled in making your server look like a source of any SPAM that gets relayed through it in this method. AFAIK Authenticated Received Chain (ARC) was designed for exactly this use case. Wondering if anyone has some experience with it or knows if Gmail is already honouring ARC-headers. -- Alex JOST
Re: Forward to gmail and DMARC
Am 16.07.2017 um 02:55 schrieb Peter: > When Google sees SPAM coming form your server it will > affect your server's IP reputation with Google "your server's IP" has to be clarified: as far as I know it's /32 for IPv4 and /64 for IPv6 ... Andreas
Re: Forward to gmail and DMARC
On 14/07/17 08:06, @lbutlr wrote: > > I forward mail to a gmail user, but there are a lot of bounces from > gmail. I don't honestly care about the ones that google says are > spam, You should. When Google sees SPAM coming form your server it will affect your server's IP reputation with Google and eventually cause mail from your server to go to Spam folder or you get blacklisted, etc. > but recently I'm also getting DMARC failures on Facebook > mails. Right, DMARC makes the situation worse. The only way to get around this is to completely own the message by rewriting the envelope sender and From: header to come from your domain. Of course this alters the content of the message and will likely cause DKIM to fail, so you'll need to address that as well. If you've successfully managed to do this then you'll be even more embroiled in making your server look like a source of any SPAM that gets relayed through it in this method. > The only thing that I can think to do is disable the forwarding and > tell the user to grab mail via POP3, but that means enabling POP3 > which I'd rather not do. This is actually the only solution that will work without making you alter the contents of the message significantly and make you look like a source of SPAM. this is one of the few exceptions where I will say to go ahead and use POP3. > Gmail does not, IFAIK, allow you to combine > your mail with another IMAP account. Correct, Google will fetch from POP3 but not from IMAP. You pretty much need to do it with POP3. Peter
Re: Forward to gmail and DMARC
Am 15.07.2017 um 00:15 schrieb @lbutlr: > On 14 Jul 2017, at 09:41, Dominic Raferdwrote: >> Me: >>> Automated? Or is that something you do manually? >> >> Yes I have it automated > > Oh, we'll that would be nifty to see what you've done if it's not too much > trouble. > +1
Re: Forward to gmail and DMARC
On 14 Jul 2017, at 09:41, Dominic Raferdwrote: > Me: >> Automated? Or is that something you do manually? > > Yes I have it automated Oh, we'll that would be nifty to see what you've done if it's not too much trouble. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: Forward to gmail and DMARC
On 14 July 2017 at 16:21, @lbutlrwrote: > On 13 Jul 2017, at 15:05, Dominic Raferd wrote: > > On 13 July 2017 at 21:06, @lbutlr wrote: > > > > I forward mail to a gmail user, but there are a lot of bounces from > gmail. I don't honestly care about the ones that google says are spam, but > recently I'm also getting DMARC failures on Facebook mails. > > > > Again, not critical, but a bit annoying. > > > > The only thing that I can think to do is disable the forwarding and tell > the user to grab mail via POP3, but that means enabling POP3 which I'd > rather not do. Gmail does not, IFAIK, allow you to combine your mail with > another IMAP account. > > > > Any other ideas? > > > > If you use openDMARC on your own server then rejections by an onward > mailserver (e.g. Gmail) on the grounds of DMARC failure should only occur > when the sender has p=reject DMARC policy and is relying on SPF without > DKIM (or with bad DKIM). > > I have to say, I'd be surprised if this is was Facebook was doing, but I > haven't even looked at DMARC for myself. It's just a milter, yes? And > required DKIM? > It's a milter, and runs after the opendkim milter. I haven't seen such behaviour by Facebook, only a few (not all) marketing emails from Tesco (UK supermarket chain) and a few (again, not all) from Her Majesty's Revenue and Customs (go figure). Most senders with p=reject DMARC policies understand how to use DKIM and do so. > > My solution for such cases - which are few - is to trap the DMARC > failure message from Gmail and then resend the original email as an > attachment. > > Automated? Or is that something you do manually? Yes I have it automated
Re: Forward to gmail and DMARC
On 13 Jul 2017, at 15:05, Dominic Raferdwrote: > On 13 July 2017 at 21:06, @lbutlr wrote: > > I forward mail to a gmail user, but there are a lot of bounces from gmail. I > don't honestly care about the ones that google says are spam, but recently > I'm also getting DMARC failures on Facebook mails. > > Again, not critical, but a bit annoying. > > The only thing that I can think to do is disable the forwarding and tell the > user to grab mail via POP3, but that means enabling POP3 which I'd rather not > do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP > account. > > Any other ideas? > > If you use openDMARC on your own server then rejections by an onward > mailserver (e.g. Gmail) on the grounds of DMARC failure should only occur > when the sender has p=reject DMARC policy and is relying on SPF without DKIM > (or with bad DKIM). I have to say, I'd be surprised if this is was Facebook was doing, but I haven't even looked at DMARC for myself. It's just a milter, yes? And required DKIM? > My solution for such cases - which are few - is to trap the DMARC failure > message from Gmail and then resend the original email as an attachment. Automated? Or is that something you do manually? -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Re: Forward to gmail and DMARC
On 13 July 2017 at 21:06, @lbutlrwrote: > > I forward mail to a gmail user, but there are a lot of bounces from gmail. > I don't honestly care about the ones that google says are spam, but > recently I'm also getting DMARC failures on Facebook mails. > > Again, not critical, but a bit annoying. > > The only thing that I can think to do is disable the forwarding and tell > the user to grab mail via POP3, but that means enabling POP3 which I'd > rather not do. Gmail does not, IFAIK, allow you to combine your mail with > another IMAP account. > > Any other ideas? If you use openDMARC on your own server then rejections by an onward mailserver (e.g. Gmail) on the grounds of DMARC failure should only occur when the sender has p=reject DMARC policy and is relying on SPF without DKIM (or with bad DKIM). My solution for such cases - which are few - is to trap the DMARC failure message from Gmail and then resend the original email as an attachment.