0

Here is my situation.

We have internal network, with lots of 2nd level subdomains - foo.internal.domain.ltd as example. Those subdomains may or may not have public DNS records with Class A IPs.

Then, we have a single subdomain, that acts as a proxy - proxy.internal.domain.ltd. It has public IP address with the following DNS records: A record - IN A <IPv4 of the VM> MX record - IN MX 10 proxy.internal.domain.ltd. TXT record - `IN TXT "v=spf1 a mx ip4: ~all" DMARC record -

_dmarc.proxy.internal.domain.ltd IN TXT v=DMARC1; p=none; rua=mailto:[email protected]; pct=100; adkim=r; aspf=r; fo=0"

All of the mail sending is handled by Postfix, be it from the proxy or the proxied-over ones.

Is it possible to have both SPF and DMARC enabled for the proxy.internal.domain.ltd, and send mails from foo.internal.domain.ltd with the FROM being [email protected]?

Sending to Gmail results in getting some bounce backs with the following error:

Host or domain name not found. Name service error for name=foo.internal.domain.ltd type=A: Host not found

and

Our system has detected that this message is 550-5.7.1 likely unsolicited mail

In case it passes (for example, not using Test mails, but legit template), it gets marked as Spam, despite having both SPF and DMARC passing.

Our public IP ranges are not blacklisted anywhere.

If using both SPF and DMARC in this use case is not going to work out, will only SPF (with either -all or ~all) be enough to prevent possible spoofing by 3rd party and bouncebacks from Google?

1 Answer 1

1

If you want to send mail out to the world, you must ensure recipients can look up the names you use; more specifically: figure out from the domain part of the address where mail for that domain is accepted.

Only resolvable, fully-qualified domain names (FQDNs) are permitted when domain names are used in SMTP. In other words, names that can be resolved to MX RRs or address (i.e., A or AAAA) RRs (as discussed in Section 5) are permitted, as are CNAME RRs whose targets can be resolved, in turn, to MX or address RRs.

Requirement from in RFC rfc5321, Section 2.3.5. Domain Names

Now, depending on how you manage your DNS what external recipients see does not necessarily need to match what you are using internally (the keyword "split" may be helpful in researching common configuration). But in any case, the return address must be resolvable (probably pointing to your relay as the primary MX).

Carefully weigh publishing all internally used names against simply having the relay canonicalize addresses on forwarding (maybe [email protected] and [email protected] do not need to appear publicly, because [email protected] is sufficient for both?)

1
  • I went iwth the option to remove all DNS records for subdomains with only private IPs. Then published a wildcard records for TXT and MX, pointing to the proxy. This is actually the correct solution.
    – ku4eto
    Commented May 12, 2023 at 15:10

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .