EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 28 Apr 2016, 07:03 PM   #1
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
FM DMARC Test Results for Gmail Alias

Background and Setup:
Google Apps email is used with my own domain set, eg as "gardenweed.com".
SPF, DKIM, DMARC are all setup for this domain. Tests show they work correctly.
DMARC policy is set as quarantine.
In addition, the email address "joe@gardenweed.com.au" is setup in the Google Apps email account as a verified alias.

FM account is used.
DNS for my domain is hosted at FM, eg gardenweed.com.au
SPF, DKIM, DMARC are all setup for this domain. Tests show they work correctly.
DMARC policy is set as quarantine.

Action:
An email is written in Google Apps using the account gardenweed.com.
The email "from" is selected to be the be the alias "joe@gardenweed.com.au"
The email is sent to addresses at FM, Hotmail, Yahoo, Gmail.
Yahoo, Gmail and Hotmail act on the DMARC policy. If DMARC authentication fails, the email should go to spam.
FM carries out the DMARC authentication test, but takes no action at this stage.

Results:
In the above case I get the following results:
• Yahoo passes DMARC and delivers email to inbox.
• Hotmail passes DMARC and delivers email to inbox. The From headers are not aligned but Hotmail says the requirement is relaxed.
• Gmail fails DMARC because the From headers are not aligned and Gmail filters the email to spam (gardenweed.com <> gardenweed.com.au )
• FM fails DMARC. It goes to inbox - this is understood. FM does not currently act on DMARC policy.

Questions
My questions are :
1) Why do Yahoo and Hotmail appear to accept the alias and pass DMARC authentication, whereas Gmail and FM say that the DMARC authentication has failed?

2) Does it make any sense that a verified alias in Gmail should pass a DMARC test?
gardenweed is offline   Reply With Quote

Old 2 May 2016, 11:35 PM   #2
unlocktheinbox
Member
 
Join Date: Feb 2016
Posts: 47
Either the SPF or DKIM Alignment must pass, even if the SPF is unaligned, your DKIM should be aligned and that would cause DMARC to pass.

Take a look at: Identifier Alignments

Last edited by unlocktheinbox : 4 May 2016 at 01:49 AM.
unlocktheinbox is offline   Reply With Quote
Old 2 May 2016, 11:55 PM   #3
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by unlocktheinbox View Post
Either the SPF or DKIM Alignment must pass, even if the SPF is unaligned, your DKIM should be aligned and that would cause DMARC to pass.

Take a loot at: Identifier Alignments
Thanks - I'll take a look at this.
gardenweed is offline   Reply With Quote
Old 4 May 2016, 06:48 AM   #4
glass
Member
 
Join Date: Dec 2013
Posts: 54
Today I have incoming mail from a mailing list failing DMARC and tripping "ME_DMARC_QUARANTINE" which gives it a spam-score of 8 (is that rule new?)

It's failing because the list is breaking the dkim signature for these particular messages because they're being sent as html (gah, some people!) and the list is converting them to plain text before relaying them (I know this because they have an X-Converted-To-Plain-Text header). SPF passes but that's for the list's Return-Path and smtp.helo domain, not the domain in the From header, which means it doesn't count (I think? DMARC is hard).

What can/should I do about this? Just keep marking them as Not Spam until my bayes learn and subtract enough from the score?

(semi-hijacking this thread because there's already a few DMARC threads and I don't want to start another!)
glass is offline   Reply With Quote
Old 4 May 2016, 07:34 AM   #5
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
FastMail seems to have enabled several DMARC related features within the past few days. I just sent a message to Fastmail staff about an issue I have with disabling whitelisting and treatment of DMARC when a policy is not published. I think there are still some bugs, and I will point the Fastmail staff to your post so they can comment.

It seems to me that mailing lists (as currently popularly implemented) can cause both SPF and DKIM to fail, which means that sending messages from a domain which has a DMARC policy through such a mailing list server will cause the forwarded messages to be blocked when received at an email system which follows DMARC policy. Email lists might become obsolete unless they can be improved. SPF probably will continue to fail, but you would think that DKIM could be made to work properly if forwarding didn't rewrite the message body.

Bill
n5bb is online now   Reply With Quote
Old 4 May 2016, 09:01 AM   #6
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by n5bb View Post
FastMail seems to have enabled several DMARC related features within the past few days.

Bill
Do you know what it is that they have turned on?
I just rec'd an email that had these headers:

X-Spam-Score: 0.0
X-Spam-known-sender: no, "Email failed DMARC policy for domain"

It was to a subscribed list.
The From address is Whitelisted (ie in my Address Book).
The X-Spam-known-sender says "no", which appears to be incorrect.
It ended up in my Inbox correctly, even though DMARC failed.
gardenweed is offline   Reply With Quote
Old 4 May 2016, 10:15 AM   #7
Mugwhamp
Cornerstone of the Community
 
Join Date: Jul 2004
Location: Manila
Posts: 509
Yep, I have whitelisted contacts failing DMARC and receiving a spam score. Here is the raw message: "Email failed DMARC policy for domain". This is a work domain which has given us no problem up to now.
Mugwhamp is offline   Reply With Quote
Old 4 May 2016, 07:26 PM   #8
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
DMARC failure will cause whitelisting to be ignored. This is on purpose, since the spammer may be spoofing a From address. There were two recent problems in the past week or so which Fastmail staff discovered after being informed of some spam filing problems:
  • Address book whitelisting was disabled for some messages, even though they passed the DMARC test. This failure was erratic, and I believe it was fixed a few days ago.
  • Some messages from domains which are not publishing any DMARC records were classified as failing DMARC authentication. I think this will be fixed within the next day or two.
So wait another day or two and see if you see see DMARC failures. Some forwarding services may break DMARC if they corrupt the DKIM signature or message contents, and they will probably break SPF. Either DKIM or SPF must pass for DMARC to pass.

Bill
n5bb is online now   Reply With Quote
Old 4 May 2016, 09:14 PM   #9
glass
Member
 
Join Date: Dec 2013
Posts: 54
Quote:
Originally Posted by n5bb View Post
Email lists might become obsolete unless they can be improved. SPF probably will continue to fail, but you would think that DKIM could be made to work properly if forwarding didn't rewrite the message body.

Bill
Most messages to this particular list are getting through fine and passing DMARC (including my own sent from fastmail). It's just messages that the list server needs to mess which ends up breaking dkim. For example if it converts an html message to text/plain, or strips an attachment.

Although, some lists add footers to the bottom of every message (this particular list doesn't), I don't know how they will get around that.
glass is offline   Reply With Quote
Old 6 May 2016, 01:56 AM   #10
glass
Member
 
Join Date: Dec 2013
Posts: 54
Something else I'm seeing is that fastmail seems to default to p=reject if the domain in From: doesn't exist. This happens when people posting to mailing lists have their From address as something like user@REMOVETHISexample.com or user@example.net.REMOVE.au
glass is offline   Reply With Quote
Old 6 May 2016, 02:01 AM   #11
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
Quote:
Originally Posted by glass View Post
Something else I'm seeing is that fastmail seems to default to p=reject if the domain in From: doesn't exist. This happens when people posting to mailing lists have their From address as something like user@REMOVETHISexample.com or user@example.net.REMOVE.au
That's a bug I reported which they are fixing. If the domain has no DMARC published record things haven't been working correctly for a few days.

Bill
n5bb is online now   Reply With Quote
Old 24 May 2016, 02:46 AM   #12
glass
Member
 
Join Date: Dec 2013
Posts: 54
Ignoring DMARC failure

I've given up on DMARC. It's completely useless as too many domains have incorrect policies, even ones who should know better**. After three weeks the false positive rate for messages that have failed DMARC is close to 100%. Granted, this isn't really fastmail's fault as they are only doing what they're told to by the domains' DMARC policies.

So I've modified my sieve rules to ignore DMARC failures. The best way I could think to do this, was in the first sieve rules box (above the auto-generated spam rules) put:

Code:
if not header :contains ["X-Spam-hits"] ["ME_DMARC_REJECT", "ME_DMARC_QUARANTINE"] {
Fastmail's pre-filled spam rules are below that.

In the second box, after the spam rules, I put:

Code:
} else {
  if header :contains ["X-Spam-hits"] ["ME_DMARC_QUARANTINE"] {
    if header :value "ge" :comparator "i;ascii-numeric" "X-Spam-score" "13" {
      fileinto "\\Junk";
      stop;
    }
  }
  if header :contains ["X-Spam-hits"] ["ME_DMARC_REJECT"] {
    if header :value "ge" :comparator "i;ascii-numeric" "X-Spam-score" "20" {
      fileinto "\\Junk";
      stop;
    }
  }
}
This wraps fastmail's spam rules so they only get run if no DMARC rule was triggered. If a DMARC rule was triggered, and the policy was quarantine, it checks the message for a spam-score of 13, so the message needs a natural spam score of 5 in addition to the 8 added by the ME_DMARC_QUARANTINE rule. And if the rule is reject, same thing, except the threshold is 20 as the message needs a natural spam score of 5 in addition to the 15 added by ME_DMARC_REJECT.



**Case in point: Google was one of the co-conspirators who forced this upon the world, and yet the google.com domain has a p=reject policy, even though their employees use their @google.com address to post to mailing lists that break DKIM. John Levine of the IETF, and a contributor to RFC 7489, says "Reject policy is fine [...] for companies with firm staff policies that [...] employees don't join mailing lists and the like using company addresses".

If they can't get this right, who will?
glass is offline   Reply With Quote
Old 26 Oct 2018, 06:12 PM   #13
rabarberski
Master of the @
 
Join Date: Nov 2006
Location: Ghent, Belgium
Posts: 1,027
Reviving this old post.
Could it be that fastmail has changed the text in the headers?
I disabled DMARC handling with the same sieve rules like in the post above
However, since some time Ilots of mails gets misfilled in my Junk mail folder because of DMARC policy failures.

Looking at the raw messages, it looks like "ME_DMARC_QUARANTINE" in X-Spam-Hits has been relabeled to "ME_QUARANTINE" (probably same for _REJECT)

Can anybody confirm?
rabarberski is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:41 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy