1

I run a virtual mail server that forwards emails to my domain to a Gmail address, and I use PostSRSd to rewrite the addresses. For example, if someone sends an email to [email protected], my mail server will rewrite the address (to something like [email protected]) and forward it to my email at [email protected].

This rewriting is essential, because otherwise the forwarded emails will fail SPF checks. I'm not sure if it will fail DKIM if the address is not rewritten, but I assume it will.

PostSRSd works out well for us most of the time. Emails to our virtual domain pass SPF, DKIM and DMARC, which makes deliverability excellent. Here's the typical mail header for the checks:

Authentication-Results: mx.google.com;
   dkim=pass [email protected] header.s=hs1 header.b=fFjMRTbn;
   dkim=pass [email protected] header.s=hs2-8105018 header.b=AHU209VN;
   spf=pass (google.com: domain of srs0=8nnb=bp=bf08x.hubspotemail.net=1axb6baq5yhbqc79kzmzee6yv7e5d09kmo07f2-john=mydomain.com@mydomain.com designates 123.234.123.124 as permitted sender) smtp.mailfrom="SRS0=8nNb=BP=bf08x.hubspotemail.net=1axb6baq5yhbqc79kzmzee6yv7e5d09kmo07f2-john=imago-images.de@mydomain.com";
   dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=imago-images.de

However, emails from a particular domain ichat.sp.edu.sg (this is the actual domain) never get delivered if they try to send emails to my domain, because the forwarding process causes it to fail Gmail's DMARC checks. Here is the mail header for one such mail:

Authentication-Results: mx.google.com;
   dkim=pass [email protected] header.s=selector2-ichatspedu-onmicrosoft-com header.b="LeXRlSh/";
   arc=pass (i=1 spf=pass spfdomain=ichat.sp.edu.sg dkim=pass dkdomain=ichat.sp.edu.sg dmarc=pass fromdomain=ichat.sp.edu.sg);
   spf=pass (google.com: domain of [email protected] designates 123.234.123.124 as permitted sender) smtp.mailfrom="[email protected]";
   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sp.edu.sg

I'm not sure what causes DMARC to fail in this particular case. ChatGPT (as well as Postfix) says it has something to do with the DMARC records of sp.edu.sg, but I'm not very sure what it is. Can anyone help? And can I do anything on my end to alleviate this if sp.edu.sg does not do anything?

For reference, here is the TXT record for _dmarc.sp.edu.sg:

v=DMARC1; p=reject; rua=mailto:[email protected], mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Improve this question
4
  • 1
    The Google header does not mention a DKIM signature aligned with the .sg domain, did you expect one?
    – anx
    Commented May 26, 2023 at 13:26
  • @anx Do you mean that there is no DKIM signature for sp.edu.sg in the Google header?
    – John Doe
    Commented May 26, 2023 at 15:44
  • The problem with forwarding email to Google is if you receive any spam, as when it reaches Google's servers it'll show as coming from YOUR server and YOUR email domain, not the original sender, which then risks you getting blacklisted as a spam source. I've seen it happen multiple times with customers who had similar setups (against our advice). Better to enable email collection from your server, and allow Google to collect it from you with the original headers intact so they know what came from where.
    – Keith Langmead
    Commented May 26, 2023 at 18:54
  • Do you have a different option for forwarding, such as if Dovecot is installed use a sieve rule?
    – Paul
    Commented May 28, 2023 at 11:41

2 Answers 2

Reset to default
2

DMARC not only requires that SPF or DKIM PASS, but it also requires the domains used by either one of those two protocols to ALIGN with the domain found in the “From” address. Only then will DMARC PASS.

DKIM: ichatspedu.onmicrosoft.com

SPF: ichat.sp.edu.sg

header.from=sp.edu.sg

so this wont work. I assume in the mail that worked you redacted a imago-images.de email address in the SPF ([email protected]) ?

try adding a subdomain TXT DMARC for ichat.sp.edu.sg rather than rely on default (empty) sp tag on parent domain.

Improve this answer
2
  • For the imago-images.de email address, do you mean for the header.from? The header.from is the original value. I only redacted the IP address of my mail server and the original domain. For the email, what you mean is that either the header.from must be ichat.sp.edu.sg or the header.from must be from ichat.sp.edu.sg correct? And to get the correct header.from the _dmarc.ichat.sp.edu.sg address must contain a DMARC entry?
    – John Doe
    Commented May 26, 2023 at 15:41
  • I've managed to fix this thanks to your input. The PostSRSd application actually documents the fix under PostSRSd under the last question, and it has the exact same solution as yours.
    – John Doe
    Commented Jun 5, 2023 at 13:04
1
Why DMARC failed

In the failed header, neither SPF nor DKIM domains aligns with ichat.sp.edu.sg, and this caused DMARC to fail.

It seems they don't sign DKIM using their own domain, and relies on SPF domain to pass DMARC alignment, which were rewritten by your forwarder. (Or perhaps their mail servers are not properly configured at all and DMARC fails with or without your forwarder.)

Explanations for DMARC alignment can be fonud on Wikipedia. Basically it states the domain in a message's from header must match one of the domains in SPF or DKIM.

Further, any mails that relies on SPF domain and not DKIM domain to pass DMARC, won't pass DMARC after your forwarder.

I don't think there's anything you can do, if you are not from ichat.sp.edu.sg.

Better ways

... to achieve what you are trying to do would be:

  • To designate your server as a Gmail inbound mail gateway, which requires Google Workspace subscriptions. Google won't test DMARC for this.

  • Or you can try programmatically insert forwarded mails using Gmail API. You won't be using SMTP, and no need passing any tests.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .