Re: will this break DMARC?
On 2021-08-14 01:22, Ken N wrote: Yes I agree. On 14.08.21 01:39, Benny Pedersen wrote: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=purpleemail.com; s=x; h= headers oversigned headers that dont exits to validators breaks dkim they don't. imho some headers changes on transit here, dont sign every header at signing stata Sender: changed by postfix mailing list and it was in thesignature, that's why it failed. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: will this break DMARC?
On Sat, Aug 14, 2021 at 04:56:33AM +, Viktor Dukhovni wrote: > > On 14 Aug 2021, at 12:54 am, Benny Pedersen wrote: > > > > its then impossible to verify if there ever was an extra header or = > not, this still make it less strong, it does not more secure or not with = > that feature > > > > this makes dkim more weak to have that as valid, and imho it does not = > being needed > > My advice to read the specification stands. If you haven't taken the > time to understand it, there's little to be gained by talking about it. > Best to desist. > > -- > Viktor. Benny, Some relevant sections of the RFC are: 8.15. Attacks Involving Extra Header Fields https://datatracker.ietf.org/doc/html/rfc6376#section-8.15 5.4. Determine the Header Fields to Sign https://datatracker.ietf.org/doc/html/rfc6376#section-5.4 Oversigning definitely catches any extra occurrence of the oversigned header. I was just talking nonsense. The "extra" non-existant oversigned header that is included in the signature is the empty string. When verifying, any maliciously added instance of the oversigned header will not be the empty string. It will be a header. So the signature wouldn't be valid. cheers, raf
Re: will this break DMARC?
> On 14 Aug 2021, at 12:54 am, Benny Pedersen wrote: > > its then impossible to verify if there ever was an extra header or not, this > still make it less strong, it does not more secure or not with that feature > > this makes dkim more weak to have that as valid, and imho it does not being > needed My advice to read the specification stands. If you haven't taken the time to understand it, there's little to be gained by talking about it. Best to desist. -- Viktor.
Re: will this break DMARC?
On 2021-08-14 06:45, Viktor Dukhovni wrote: Instead of empty speculation, a radical idea would be to read the DKIM specification and understand why signing some headers one more time than they appear in the message is a feature of that specification. its then impossible to verify if there ever was an extra header or not, this still make it less strong, it does not more secure or not with that feature this makes dkim more weak to have that as valid, and imho it does not being needed
Re: will this break DMARC?
> On 14 Aug 2021, at 12:38 am, Benny Pedersen wrote: > >> It >> means that the From: header is included twice in the >> data being signed. But it's odd. The extra inclusion is >> as an empty From: header. > > i will say this is a cleat bug to have resolved Instead of empty speculation, a radical idea would be to read the DKIM specification and understand why signing some headers one more time than they appear in the message is a feature of that specification. As already noted upthread, this precludes adding additional instances of the header in question without invalidating the signature. -- Viktor.
Re: will this break DMARC?
On 2021-08-14 05:54, raf wrote: Not in this case. It's the To: header that is being changed by the dovecot mailing list software. So if the To: header is included in the signature, then the signature will become invalid. dovecot do openARC, but dkim can still be breaked after openARC, but if its done before ARC sealing, then it breaks dmarc, hope this is clear on dokumention it should still not break dkim, if maillist do this it breaks more then dkim there is no point in doing spf, dkim, arc, dmarc if all forwarders / maillists breaks it, then we all loose the good intention
Re: will this break DMARC?
On 2021-08-14 05:50, raf wrote: On Sat, Aug 14, 2021 at 01:22:43AM +0200, Benny Pedersen wrote: On 2021-08-14 01:10, raf wrote: > h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; note 2 instances of From i bet both is not dkim signed, or both From is not in the recieved dkim validator seen It's normal for From to appear twice maybe for milters only ? i use fuglu that have not that double signed header in the list of headers to include in the signature. It doesn't mean that there are two From: headers in the message. if there exists a From psudo header in the milter it could be problem for opendkim to know with one is the real one, even if it does not sign both it makes trouble for the verifing it later It means that the From: header is included twice in the data being signed. But it's odd. The extra inclusion is as an empty From: header. i will say this is a cleat bug to have resolved So it's not a mistake. It's default behaviour in OpenDKIM. i lost intrest to stay at using milters, unrelated or not i dont know Here's an extract from /etc/opendkim.conf that tries to explain why: # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian package # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From "Oversigning" the From: header prevents an additional From: header being added without invalidating the signature. This is desirable because it might be that the real From: header satisfies DKIM, but the second malicious From: is shown to the user perhaps (or vice versa). this is when signing on forwarders imho, not when signing originated mails, dkim signing on forwarding mta should imho stop being done, and only do openARC sealing on forwarding mta hosts Documentation for rspamd says "Oversigned headers cannot be appended to a message". But the above makes me think that the intent of oversigning is to say that if an extra From: header was added, it would get noticed, but I don't understand why you couldn't just have 3+ From: headers, the normal signed one, then one or more empty oversigned ones, and then a final malicious one that doesn't affect DKIM because only the first two were included in the signed data? good question i dont know answer for Hopefully, that's not the case. I'll have to read the RFC one of these days to understand it properly. i only dkim sign in fuglu, wish i know how to make dkim verify with fuglu aswell, its just low priotet from me to do so aslong spamassassin does it fuglu uses dkimpy, and i have created ebuild for fuglu on gentoo, its pretty stable for what i have done without knowledge :=)
Re: will this break DMARC?
On Sat, Aug 14, 2021 at 01:39:29AM +0200, Benny Pedersen wrote: > On 2021-08-14 01:22, Ken N wrote: > > Yes I agree. > > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; > d=purpleemail.com; s=x; h= headers > > oversigned headers that dont exist to validators breaks dkim I don't think that's the case. When validating, if a header doesn't exist, it would probably just be treated as an empty header for the purpose of validating the signature. > imho some headers changes on transit here, dont sign every header at signing > stata > > reduce your signed headers list to begin with from, to, date, subject > > this will solve some of the problems you have Not in this case. It's the To: header that is being changed by the dovecot mailing list software. So if the To: header is included in the signature, then the signature will become invalid. cheers, raf
Re: will this break DMARC?
On Sat, Aug 14, 2021 at 01:22:43AM +0200, Benny Pedersen wrote: > On 2021-08-14 01:10, raf wrote: > > > h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; > > note 2 instances of From > > i bet both is not dkim signed, or both From is not in the recieved dkim > validator seen It's normal for From to appear twice in the list of headers to include in the signature. It doesn't mean that there are two From: headers in the message. It means that the From: header is included twice in the data being signed. But it's odd. The extra inclusion is as an empty From: header. So it's not a mistake. It's default behaviour in OpenDKIM. Here's an extract from /etc/opendkim.conf that tries to explain why: # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian package # because it is often the identity key used by reputation systems and thus # somewhat security sensitive. OversignHeaders From "Oversigning" the From: header prevents an additional From: header being added without invalidating the signature. This is desirable because it might be that the real From: header satisfies DKIM, but the second malicious From: is shown to the user perhaps (or vice versa). Documentation for rspamd says "Oversigned headers cannot be appended to a message". But the above makes me think that the intent of oversigning is to say that if an extra From: header was added, it would get noticed, but I don't understand why you couldn't just have 3+ From: headers, the normal signed one, then one or more empty oversigned ones, and then a final malicious one that doesn't affect DKIM because only the first two were included in the signed data? Hopefully, that's not the case. I'll have to read the RFC one of these days to understand it properly. cheers, raf
Re: will this break DMARC?
On 2021-08-14 01:22, Ken N wrote: Yes I agree. DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=purpleemail.com; s=x; h= headers oversigned headers that dont exits to validators breaks dkim imho some headers changes on transit here, dont sign every header at signing stata reduce your signed headers list to begin with from, to, date, subject this will solve some of the problems you have sadly i have to resent reply becurse headers signed includes "afmeld maillist in english"
Re: will this break DMARC?
On 2021-08-14 01:10, raf wrote: h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; note 2 instances of From i bet both is not dkim signed, or both From is not in the recieved dkim validator seen
Re: will this break DMARC?
Yes I agree. most google groups add the additional info at the end of each message, that makes DKIM invalid. since google groups is a forwarding service who does a valid SRS, SPF has no contribution to the DMARC validation. So, almost every message forwarded by google groups has DMARC failed. How google handle it? It just replace the From: in header to google's list name, but keep the real sender email in Reply to: header. For instance, I sent an email from x...@mail.ru to google groups, google delivery it to every member's mailbox. the DMARC will fail in this case. So, Google just replace x...@mail.ru to x...@googlegroups.com in the header, and try delivery the message then. thanks. On 2021/8/14 7:10 上午, raf wrote: Lots of mailing lists add a bit of list-related text at the end of each message (even though the same information is in List- headers as well). That renders DKIM signatures invalid. Perhaps the dovecot list does that. It doesn't seem to, looking at the archives. -- Ken N https://blog.hoxblue.com/
Re: will this break DMARC?
On Fri, Aug 13, 2021 at 01:31:05PM -0400, Wietse Venema wrote: > post...@ptld.com: > > > Domain alignment is essential to DMARC. DMARC always refers to the > > > From header domain. SPF validates the envelope sender (MailFrom) > > > domain. DKIM can validate any domain, even one not used anywhere else > > > in the message. For DMARC to succeed, the From header domain must > > > align with a domain whose validation mechanism succeeds. > > > > All of that makes sense. Anyone know why a sizeable percentage of emails > > from the dovecot mailing list fail dmarc? Is dovecot doing something > > wrong or is it users with improperly setup dkim keys? Because it seems > > like mail from the postfix mailing list always pass dmarc. > > The Postfix list uses Majordomo. It adds Sender and List- headers, > As long as the original DKIM signature did not cover such headers, > the signature will continue to validate. > > Wietse Lots of mailing lists add a bit of list-related text at the end of each message (even though the same information is in List- headers as well). That renders DKIM signatures invalid. Perhaps the dovecot list does that. It doesn't seem to, looking at the archives. Looking at your "Why do so many dovecot list mails fail dmarc?" message on that list: The From: domain is protonmail.ch The Envelope sender domain is dovecot.org so SPF doesn't contribute to DMARC. The DKIM signing domain is protonmail.ch so it can contribute to DMARC. The headers that are included in the DKIM signature are: h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; And I can see: X-Original-To: dove...@dovecot.org To: Aki Tuomi That looks to me like the To header was changed by the mailing list software from the list address to the list member's address, and that rendered the DKIM signature invalid. If To: was removed from the list of DKIM-signed headers, then it could pass a DMARC check, but that's probably a bad idea. A better solution would be for the mailing list software to leave the To: header alone and only use the list member's addresses in the envelope. But presumably, that's not going to happen. cheers, raf
Re: will this break DMARC?
post...@ptld.com: > > Domain alignment is essential to DMARC. DMARC always refers to the > > From header domain. SPF validates the envelope sender (MailFrom) > > domain. DKIM can validate any domain, even one not used anywhere else > > in the message. For DMARC to succeed, the From header domain must > > align with a domain whose validation mechanism succeeds. > > All of that makes sense. Anyone know why a sizeable percentage of emails > from the dovecot mailing list fail dmarc? Is dovecot doing something > wrong or is it users with improperly setup dkim keys? Because it seems > like mail from the postfix mailing list always pass dmarc. The Postfix list uses Majordomo. It adds Sender and List- headers, As long as the original DKIM signature did not cover such headers, the signature will continue to validate. Wietse
Re: will this break DMARC?
Domain alignment is essential to DMARC. DMARC always refers to the From header domain. SPF validates the envelope sender (MailFrom) domain. DKIM can validate any domain, even one not used anywhere else in the message. For DMARC to succeed, the From header domain must align with a domain whose validation mechanism succeeds. All of that makes sense. Anyone know why a sizeable percentage of emails from the dovecot mailing list fail dmarc? Is dovecot doing something wrong or is it users with improperly setup dkim keys? Because it seems like mail from the postfix mailing list always pass dmarc.
Re: will this break DMARC?
On 2021-08-13 at 08:05:44 UTC-0400 (Fri, 13 Aug 2021 08:05:44 -0400) is rumored to have said: Raf, Im confused by this, i thought as long as either dkim or spf passes then dmarc passes. But i still see dmarc fails. Envelope-From: dovecot-boun...@dovecot.org Header From: some...@netcourrier.com DKIM: bad signature data DMARC: SPF(mailfrom): dovecot.org pass DMARC: netcourrier.com fail Shouldn't dmarc pass with the good SPF? Not with the MailFrom domain that doesn't align to the header From address. Domain alignment is essential to DMARC. DMARC always refers to the From header domain. SPF validates the envelope sender (MailFrom) domain. DKIM can validate any domain, even one not used anywhere else in the message. For DMARC to succeed, the From header domain must align with a domain whose validation mechanism succeeds. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: will this break DMARC?
I have pasted @raf's answer to my blog posting. copyright @ralf certainly. thank you. https://blog.hoxblue.com/will-a-forwarded-message-break-the-dmarc/ regards. On 2021/8/13 1:03 下午, raf wrote: Maybe. It depends on lots of stuff. A DMARC check passes if either SPF or DKIM pass, but (for DMARC purposes), SPF only applies (and therefore can only pass) when the From: domain matches the envelope sender domain, and (for DMARC purposes) DKIM only applies (and therefore can only pass) when the From: domain matches the DKIM signing domain (d=). If pobox.com uses its own envelope sender when forwarding the email, then mail.ru's SPF doesn't apply (because it wouldn't be the envelope sender domain anymore). Instead, pobox.com's SPF applies (because it's now the envelope sender domain). But pobox.com's SPF doesn't apply to mail.ru's DMARC check. So SPF wouldn't contribute to a DMARC check for mail.ru. If pobox.com uses the original mail.ru envelope sender then mail.ru's SPF will apply and it will fail (because pobox.com won't be authorized by mail.ru's SPF). So it won't contribute to a DMARC check for mail.ru either. So, you can't count on SPF to get it through a DMARC check for mail.ru. The only other possibility is if the email was DKIM-signed by mail.ru as well. If it wasn't, then DMARC fails. If it was, and the email wasn't changed en route in any way that invalidated the DKIM signature, then DMARC passes. If the mail was modified too much, then DMARC fails, but if pobox.com is just forwarding, then it shouldn't have modified it in a way that matters to DKIM. And the DKIM signature has to have been signed with mail.ru's DKIM key. Any other signing domain doesn't apply for DMARC purposes. So, if it's DKIM-signed by mail.ru, and pobox.com just forwards it, and does nothing else other than adding headers along the way, then it'll probably pass a DMARC check for mail.ru. Otherwise, it won't. Having said all that, what gmail does with it upon arrival is entirely up to gmail.:-) -- Ken N https://lrblogs.com/
Re: will this break DMARC?
On August 13, 2021 12:05:44 PM UTC, post...@ptld.com wrote: >Raf, >Im confused by this, i thought as long as either dkim or spf passes then >dmarc passes. But i still see dmarc fails. > > Envelope-From: dovecot-boun...@dovecot.org > Header From: some...@netcourrier.com > > DKIM: bad signature data > DMARC: SPF(mailfrom): dovecot.org pass > DMARC: netcourrier.com fail > >Shouldn't dmarc pass with the good SPF? It has to pass and align. Mail from domain and From domain aren't aligned. Scott K
Re: will this break DMARC?
Raf, Im confused by this, i thought as long as either dkim or spf passes then dmarc passes. But i still see dmarc fails. Envelope-From: dovecot-boun...@dovecot.org Header From: some...@netcourrier.com DKIM: bad signature data DMARC: SPF(mailfrom): dovecot.org pass DMARC: netcourrier.com fail Shouldn't dmarc pass with the good SPF?
Re: will this break DMARC?
thank you very much @raf. I have got your idea. On 2021/8/13 1:03 下午, raf wrote: On Fri, Aug 13, 2021 at 10:44:31AM +0800, Ken N wrote: I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. This is DMARC setting of mail.ru: _dmarc.mail.ru. 164 IN TXT "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai; "lto:dmarc_...@corp.mail.ru" (please notice p=reject setting) When gmail receive the forwarded email from pobox, will it break DMARC? since the message header showing sender is x...@mail.ru, but the SMTP talking IP is pobox's IP address. Thank you. -- Ken N https://lrblogs.com/ Maybe. It depends on lots of stuff. A DMARC check passes if either SPF or DKIM pass, but (for DMARC purposes), SPF only applies (and therefore can only pass) when the From: domain matches the envelope sender domain, and (for DMARC purposes) DKIM only applies (and therefore can only pass) when the From: domain matches the DKIM signing domain (d=). If pobox.com uses its own envelope sender when forwarding the email, then mail.ru's SPF doesn't apply (because it wouldn't be the envelope sender domain anymore). Instead, pobox.com's SPF applies (because it's now the envelope sender domain). But pobox.com's SPF doesn't apply to mail.ru's DMARC check. So SPF wouldn't contribute to a DMARC check for mail.ru. If pobox.com uses the original mail.ru envelope sender then mail.ru's SPF will apply and it will fail (because pobox.com won't be authorized by mail.ru's SPF). So it won't contribute to a DMARC check for mail.ru either. So, you can't count on SPF to get it through a DMARC check for mail.ru. The only other possibility is if the email was DKIM-signed by mail.ru as well. If it wasn't, then DMARC fails. If it was, and the email wasn't changed en route in any way that invalidated the DKIM signature, then DMARC passes. If the mail was modified too much, then DMARC fails, but if pobox.com is just forwarding, then it shouldn't have modified it in a way that matters to DKIM. And the DKIM signature has to have been signed with mail.ru's DKIM key. Any other signing domain doesn't apply for DMARC purposes. So, if it's DKIM-signed by mail.ru, and pobox.com just forwards it, and does nothing else other than adding headers along the way, then it'll probably pass a DMARC check for mail.ru. Otherwise, it won't. Having said all that, what gmail does with it upon arrival is entirely up to gmail. :-) cheers, raf -- Ken N https://lrblogs.com/
Re: will this break DMARC?
On 2021-08-13 06:25, Ken N wrote: Am I right? no, SRS is not part of dmarc pobox have there own spf, and dkim, but pobox should not use srs or add dkim signing, so only arc sealing on pobox is needed to not break dmarc if pobox on the other hand originating emails thay should dkim sign it, otherwize not note there is now cve on libspf2 with in most cases is used by srs implementions no one should use srs or sender-id anymore, both should be depricated
Re: will this break DMARC?
On Fri, Aug 13, 2021 at 10:44:31AM +0800, Ken N wrote: > I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. > > This is DMARC setting of mail.ru: > > _dmarc.mail.ru. 164 IN TXT > "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai; > "lto:dmarc_...@corp.mail.ru" > > (please notice p=reject setting) > > When gmail receive the forwarded email from pobox, will it break DMARC? > since the message header showing sender is x...@mail.ru, but the SMTP talking > IP is pobox's IP address. > > Thank you. > -- > Ken N > https://lrblogs.com/ Maybe. It depends on lots of stuff. A DMARC check passes if either SPF or DKIM pass, but (for DMARC purposes), SPF only applies (and therefore can only pass) when the From: domain matches the envelope sender domain, and (for DMARC purposes) DKIM only applies (and therefore can only pass) when the From: domain matches the DKIM signing domain (d=). If pobox.com uses its own envelope sender when forwarding the email, then mail.ru's SPF doesn't apply (because it wouldn't be the envelope sender domain anymore). Instead, pobox.com's SPF applies (because it's now the envelope sender domain). But pobox.com's SPF doesn't apply to mail.ru's DMARC check. So SPF wouldn't contribute to a DMARC check for mail.ru. If pobox.com uses the original mail.ru envelope sender then mail.ru's SPF will apply and it will fail (because pobox.com won't be authorized by mail.ru's SPF). So it won't contribute to a DMARC check for mail.ru either. So, you can't count on SPF to get it through a DMARC check for mail.ru. The only other possibility is if the email was DKIM-signed by mail.ru as well. If it wasn't, then DMARC fails. If it was, and the email wasn't changed en route in any way that invalidated the DKIM signature, then DMARC passes. If the mail was modified too much, then DMARC fails, but if pobox.com is just forwarding, then it shouldn't have modified it in a way that matters to DKIM. And the DKIM signature has to have been signed with mail.ru's DKIM key. Any other signing domain doesn't apply for DMARC purposes. So, if it's DKIM-signed by mail.ru, and pobox.com just forwards it, and does nothing else other than adding headers along the way, then it'll probably pass a DMARC check for mail.ru. Otherwise, it won't. Having said all that, what gmail does with it upon arrival is entirely up to gmail. :-) cheers, raf
Re: will this break DMARC?
Hello When gmail see this forwarded email from pobox.com, it won't break SPF because Pobox does a SRS. But I doubt it will break DMARC for mail.ru since: 1) the from address in message header is x...@mail.ru 2) the sender IP addr (by pobox) is not owned by mail.ru so gmail maybe reject this message due to DMARC setting. Am I right? Thank you On 2021/8/13 12:02 下午, Jeremy T. Bouse wrote: The DMARC record itself looks fine and valid; however, the issue is going to be whether your SPF and DKIM records alignment. I suspect the issue will be in the alignment and the OP didn't provide those details to be able to evaluate. -- Ken N https://lrblogs.com/
Re: will this break DMARC?
The DMARC record itself looks fine and valid; however, the issue is going to be whether your SPF and DKIM records alignment. I suspect the issue will be in the alignment and the OP didn't provide those details to be able to evaluate. On Thu, Aug 12, 2021 at 11:47 PM Benny Pedersen wrote: > On 2021-08-13 04:44, Ken N wrote: > > I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. > > > > This is DMARC setting of mail.ru: > > > > _dmarc.mail.ru. 164 IN TXT > > "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai; > > "lto:dmarc_...@corp.mail.ru" > > > > (please notice p=reject setting) > > https://dmarcian.com/dmarc-inspector/?domain=mail.ru > > its valid > > but it could join the splitted txt record without breaking line with > space > > so remove " " wont hurd here, it makes it more readable in dns terms, > but its still valid > > > When gmail receive the forwarded email from pobox, will it break DMARC? > > example ? > > > since the message header showing sender is x...@mail.ru, but the SMTP > > talking IP is pobox's IP address. > > forwards change spf envelope sender, but it should not break dmarc > > > Thank you. >
Re: will this break DMARC?
On 2021-08-13 04:44, Ken N wrote: I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. This is DMARC setting of mail.ru: _dmarc.mail.ru. 164 IN TXT "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai; "lto:dmarc_...@corp.mail.ru" (please notice p=reject setting) https://dmarcian.com/dmarc-inspector/?domain=mail.ru its valid but it could join the splitted txt record without breaking line with space so remove " " wont hurd here, it makes it more readable in dns terms, but its still valid When gmail receive the forwarded email from pobox, will it break DMARC? example ? since the message header showing sender is x...@mail.ru, but the SMTP talking IP is pobox's IP address. forwards change spf envelope sender, but it should not break dmarc Thank you.