I run a virtual mail server that forwards emails to my domain to a Gmail address, and I use PostSRSd to rewrite the addresses. For example, if someone sends an email to [email protected]
, my mail server will rewrite the address (to something like [email protected]
) and forward it to my email at [email protected]
.
This rewriting is essential, because otherwise the forwarded emails will fail SPF checks. I'm not sure if it will fail DKIM if the address is not rewritten, but I assume it will.
PostSRSd works out well for us most of the time. Emails to our virtual domain pass SPF, DKIM and DMARC, which makes deliverability excellent. Here's the typical mail header for the checks:
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=hs1 header.b=fFjMRTbn;
dkim=pass [email protected] header.s=hs2-8105018 header.b=AHU209VN;
spf=pass (google.com: domain of srs0=8nnb=bp=bf08x.hubspotemail.net=1axb6baq5yhbqc79kzmzee6yv7e5d09kmo07f2-john=mydomain.com@mydomain.com designates 123.234.123.124 as permitted sender) smtp.mailfrom="SRS0=8nNb=BP=bf08x.hubspotemail.net=1axb6baq5yhbqc79kzmzee6yv7e5d09kmo07f2-john=imago-images.de@mydomain.com";
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=imago-images.de
However, emails from a particular domain ichat.sp.edu.sg
(this is the actual domain) never get delivered if they try to send emails to my domain, because the forwarding process causes it to fail Gmail's DMARC checks. Here is the mail header for one such mail:
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=selector2-ichatspedu-onmicrosoft-com header.b="LeXRlSh/";
arc=pass (i=1 spf=pass spfdomain=ichat.sp.edu.sg dkim=pass dkdomain=ichat.sp.edu.sg dmarc=pass fromdomain=ichat.sp.edu.sg);
spf=pass (google.com: domain of [email protected] designates 123.234.123.124 as permitted sender) smtp.mailfrom="[email protected]";
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sp.edu.sg
I'm not sure what causes DMARC to fail in this particular case. ChatGPT (as well as Postfix) says it has something to do with the DMARC records of sp.edu.sg
, but I'm not very sure what it is. Can anyone help? And can I do anything on my end to alleviate this if sp.edu.sg
does not do anything?
For reference, here is the TXT
record for _dmarc.sp.edu.sg
:
v=DMARC1; p=reject; rua=mailto:[email protected], mailto:[email protected]; ruf=mailto:[email protected]; fo=1
.sg
domain, did you expect one?sp.edu.sg
in the Google header?sieve
rule?