Forward to gmail and DMARC

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Forward to gmail and DMARC

@lbutlr

I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, but recently I'm also getting DMARC failures on Facebook mails.

Again, not critical, but a bit annoying.

The only thing that I can think to do is disable the forwarding and tell the user to grab mail via POP3, but that means enabling POP3 which I'd rather not do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP account.

Any other ideas?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward to gmail and DMARC

Dominic Raferd


On 13 July 2017 at 21:06, @lbutlr <[hidden email]> wrote:

I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, but recently I'm also getting DMARC failures on Facebook mails.

Again, not critical, but a bit annoying.

The only thing that I can think to do is disable the forwarding and tell the user to grab mail via POP3, but that means enabling POP3 which I'd rather not do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP account.

Any other ideas?

​If you use openDMARC on your own server then rejections by an onward mailserver (e.g. Gmail) on the grounds of DMARC failure should only occur when the sender has p=reject DMARC policy and is relying on SPF without DKIM (or with bad DKIM). My solution for such cases - which are few - is to trap the DMARC failure message from Gmail and then resend the original email as an attachment.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward to gmail and DMARC

@lbutlr
On 13 Jul 2017, at 15:05, Dominic Raferd <[hidden email]> wrote:

> On 13 July 2017 at 21:06, @lbutlr <[hidden email]> wrote:
>
> I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, but recently I'm also getting DMARC failures on Facebook mails.
>
> Again, not critical, but a bit annoying.
>
> The only thing that I can think to do is disable the forwarding and tell the user to grab mail via POP3, but that means enabling POP3 which I'd rather not do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP account.
>
> Any other ideas?
>
> ​If you use openDMARC on your own server then rejections by an onward mailserver (e.g. Gmail) on the grounds of DMARC failure should only occur when the sender has p=reject DMARC policy and is relying on SPF without DKIM (or with bad DKIM).

I have to say, I'd be surprised if this is was Facebook was doing, but I haven't even looked at DMARC for myself. It's just a milter, yes? And required DKIM?

> My solution for such cases - which are few - is to trap the DMARC failure message from Gmail and then resend the original email as an attachment.

Automated? Or is that something you do manually?

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward to gmail and DMARC

Dominic Raferd


On 14 July 2017 at 16:21, @lbutlr <[hidden email]> wrote:
On 13 Jul 2017, at 15:05, Dominic Raferd <[hidden email]> wrote:
> On 13 July 2017 at 21:06, @lbutlr <[hidden email]> wrote:
>
> I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, but recently I'm also getting DMARC failures on Facebook mails.
>
> Again, not critical, but a bit annoying.
>
> The only thing that I can think to do is disable the forwarding and tell the user to grab mail via POP3, but that means enabling POP3 which I'd rather not do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP account.
>
> Any other ideas?
>
> ​If you use openDMARC on your own server then rejections by an onward mailserver (e.g. Gmail) on the grounds of DMARC failure should only occur when the sender has p=reject DMARC policy and is relying on SPF without DKIM (or with bad DKIM).

I have to say, I'd be surprised if this is was Facebook was doing, but I haven't even looked at DMARC for myself. It's just a milter, yes? And required DKIM?

​It's a milter, and runs after the opendkim milter. I haven't seen such behaviour by Facebook, only a few (not all) marketing emails from Tesco (UK supermarket chain) and a few (again, not all) from Her Majesty's Revenue and Customs (go figure).​ Most senders with p=reject DMARC policies understand how to use DKIM and do so.


> My solution for such cases - which are few - is to trap the DMARC failure message from Gmail and then resend the original email as an attachment.

Automated? Or is that something you do manually?

Yes I have it automated

 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward to gmail and DMARC

@lbutlr
On 14 Jul 2017, at 09:41, Dominic Raferd <[hidden email]> wrote:
> Me:
>> Automated? Or is that something you do manually?
>
> Yes I have it automated

Oh, we'll that would be nifty to see what you've done if it's not too much trouble.

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward to gmail and DMARC

A. Schulze


Am 15.07.2017 um 00:15 schrieb @lbutlr:
> On 14 Jul 2017, at 09:41, Dominic Raferd <[hidden email]> wrote:
>> Me:
>>> Automated? Or is that something you do manually?
>>
>> Yes I have it automated
>
> Oh, we'll that would be nifty to see what you've done if it's not too much trouble.
>

+1
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward to gmail and DMARC

Peter Ajamian
In reply to this post by @lbutlr
On 14/07/17 08:06, @lbutlr wrote:
>
> I forward mail to a gmail user, but there are a lot of bounces from
> gmail. I don't honestly care about the ones that google says are
> spam,

You should.  When Google sees SPAM coming form your server it will
affect your server's IP reputation with Google and eventually cause mail
from your server to go to Spam folder or you get blacklisted, etc.

> but recently I'm also getting DMARC failures on Facebook
> mails.

Right, DMARC makes the situation worse.  The only way to get around this
is to completely own the message by rewriting the envelope sender and
From: header to come from your domain.  Of course this alters the
content of the message and will likely cause DKIM to fail, so you'll
need to address that as well.  If you've successfully managed to do this
then you'll be even more embroiled in making your server look like a
source of any SPAM that gets relayed through it in this method.

> The only thing that I can think to do is disable the forwarding and
> tell the user to grab mail via POP3, but that means enabling POP3
> which I'd rather not do.

This is actually the only solution that will work without making you
alter the contents of the message significantly and make you look like a
source of SPAM.  this is one of the few exceptions where I will say to
go ahead and use POP3.

> Gmail does not, IFAIK, allow you to combine
> your mail with another IMAP account.

Correct, Google will fetch from POP3 but not from IMAP.  You pretty much
need to do it with POP3.


Peter
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward to gmail and DMARC

A. Schulze


Am 16.07.2017 um 02:55 schrieb Peter:
> When Google sees SPAM coming form your server it will
> affect your server's IP reputation with Google

"your server's IP" has to be clarified:
as far as I know it's /32 for IPv4 and /64 for IPv6 ...

Andreas
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward to gmail and DMARC

Alex JOST-2
In reply to this post by Peter Ajamian
Am 16.07.2017 um 02:55 schrieb Peter:

> On 14/07/17 08:06, @lbutlr wrote:
>>
>> I forward mail to a gmail user, but there are a lot of bounces from
>> gmail. I don't honestly care about the ones that google says are
>> spam,
>
> You should.  When Google sees SPAM coming form your server it will
> affect your server's IP reputation with Google and eventually cause mail
> from your server to go to Spam folder or you get blacklisted, etc.
>
>> but recently I'm also getting DMARC failures on Facebook
>> mails.
>
> Right, DMARC makes the situation worse.  The only way to get around this
> is to completely own the message by rewriting the envelope sender and
> From: header to come from your domain.  Of course this alters the
> content of the message and will likely cause DKIM to fail, so you'll
> need to address that as well.  If you've successfully managed to do this
> then you'll be even more embroiled in making your server look like a
> source of any SPAM that gets relayed through it in this method.

AFAIK Authenticated Received Chain (ARC) was designed for exactly this
use case. Wondering if anyone has some experience with it or knows if
Gmail is already honouring ARC-headers.

--
Alex JOST
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Forward to gmail and DMARC

A. Schulze


Am 17.07.2017 um 09:48 schrieb Alex JOST:

> AFAIK Authenticated Received Chain (ARC) was designed for exactly this use case. Wondering if anyone has some experience with it or knows if Gmail is already honouring ARC-headers.

yes, there are multiple ARC implementations between alpha and production state.

a good entry for further information is http://arc-spec.org/
I personally work with OpenARC which is more alpha state.

At IETF 99 there was a Hackathon last weekend. People also worked on ARC.
(https://mailarchive.ietf.org/arch/msg/dmarc/CnIGMxYfiyuquzvr_KZ_uCvRW8I)

Andreas
Loading...