EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 30 Apr 2016, 11:41 AM   #1
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 594
Does Redirect break DMARC?

In my Fastmail account I have a Redirect Copy command in my Sieve rules.
This looks for a specific domain (say "originating.com") and directs a copy to my Google Apps account.

Domain "originating.com" has a DMARC policy of quarantine.

I'm finding that in my Google Apps account, when it receives one of these emails from [email protected], via the redirect from Fastmail, the email ends up in Spam in the Google Apps account.
Eg.

email from [email protected] -> Fastmail -> FM redirect/copy -> Google Apps } sent to junk.


I think the reason for this is that the FM server is seen as a sender by Google Apps, and the FM IP address is not approved for sending emails from domain "originating.com"
Thus I get a DMARC fail, and the email is quarantined.

Would this be due to an SPF policy back at "originating.com" or does some setting need changing in my FM account?
gardenweed is offline   Reply With Quote

Old 30 Apr 2016, 05:03 PM   #2
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,615
Arrow SRS rewriting with alias forwarding

By default, forwarding a message (by any email service) breaks SPF. If SPF is broken, one of the two DMARC tests (SPF and DKIM) fails. If DKIM does not pass, then SPF failure will lead to DMARC failure.

So first look at messages sent by proper (not fake) senders at "originating.com" as received in your Fastmail account. Look at the full headers (More > Show Raw Messages) for the Authentication-Results header. If DKIM does not pass, then if SPF fails due to forwarding you should get a DMARC failure.
  • If dkim=none, then no DKIM signatures were found.
  • If dkim=pass, the DKIM signing was verified when received at Fastmail.
  • If dkim=fail, the DKIM signing failed verification (which might be due to alteration of the message during transport).
  • Other dkim results might be shown.
If you forward using alias targeting (rather than a rule), you can use SRS rewriting to fix the SPF forwarding issue. This will probably solve your problem:
https://www.fastmail.com/help/receiv...html?#advanced

If you need to use a rule (rather than a specific alias) to decide which messages are forwarded, here is a solution (which I have tested):
  • Set up one special alias with only one target (the external account you want to receive the forwarded messages). Enable the SRS rewriting feature for this alias.
  • Create a rule which forwards as desired, but set the "sent a copy to" address to the special alias.
  • Now messages which trigger the rule will be forwarded to the special alias, which will forward them with SRS rewriting to the external account.
Bill
n5bb is offline   Reply With Quote
Old 1 May 2016, 12:22 AM   #3
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 594
Quote:
Originally Posted by n5bb View Post
By default, forwarding a message (by any email service) breaks SPF. If SPF is broken, one of the two DMARC tests (SPF and DKIM) fails. If DKIM does not pass, then SPF failure will lead to DMARC failure.

So first look at messages sent by proper (not fake) senders at "originating.com" as received in your Fastmail account. Look at the full headers (More > Show Raw Messages) for the Authentication-Results header. If DKIM does not pass, then if SPF fails due to forwarding you should get a DMARC failure.Bill
Thanks Bill.
On your advice I had a closer look at the headers.
I had previously looked at the headers but the multiple DKIM reports had me confused.
In a recent test email there were two DKIM results shown: one said DKIM = invalid, and another said DKIM = passed.

On inspection of the DKIM = invalid, and a bit of googling, an issue with the public key was indicated by the search results.
I re-generated the public key & this seems to have solved the problem.

I will keep monitoring to see if the problem really is solved.
Thanks for directing me back to re-investigate the header data.

Thanks also for the info and link to SRS rewriting.
If the redirect results in further DMARC failures, I'll look to implementing this.

gardenweed is offline   Reply With Quote
Old 1 May 2016, 06:05 AM   #4
lane
Cornerstone of the Community
 
Join Date: Dec 2005
Location: Kars, NB, Canada
Posts: 703
Quote:
Originally Posted by n5bb View Post
If you forward using alias targeting (rather than a rule), you can use SRS rewriting to fix the SPF forwarding issue. This will probably solve your problem:
https://www.fastmail.com/help/receiv...html?#advanced
This will not fix DMARC, however. Yes, now the (new, rewritten) envelope sender will pass SPF, but it will no longer agree with the "From" address. This mismatch will also cause DMARC to fail.

Fastmail is good about not disturbing DKIM signatures on forwarding (unlike Office 365, which still ruins them). But there are a few senders who rely only on SPF and also use a DMARC quarantine or fail policy. Stupid or not very nice, take your pick.
lane is offline   Reply With Quote
Old 1 May 2016, 09:33 AM   #5
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,615
Arrow Test message results from Yahoo forwarded through Fastmail to Gmail

Maybe I'm confused by the Gmail received header DMARC results. If I send test messages from a Yahoo.com account (which has DMARC record "v=DMARC1; p=reject; pct=100; rua=mailto:[email protected];"), here is what I get in the received headers at the gmail.com delivery account:

Message sent from yahoo.com webmail directly to Gmail:
Code:
Authentication-Results: mx.google.com;
        dkim=pass [email protected];
        spf=pass (google.com: domain of [email protected] designates 67.195.87.237 as permitted sender) [email protected];
        dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
Message sent from yahoo.com webmail to my Fastmail account, then redirected (without SRS) to an alias target at Gmail:
Code:
Authentication-Results: mx.google.com;
        dkim=pass [email protected];
        spf=neutral (google.com: 66.111.4.226 is neither permitted nor denied by domain of [email protected]) [email protected];
        dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
Message sent from yahoo.com webmail to my Fastmail account, then redirected (using SRS rewriting) to an alias target at Gmail:
Code:
Authentication-Results: mx.google.com;
        dkim=pass [email protected];
        spf=pass (google.com: domain of [email protected] designates 66.111.4.29 as permitted sender)
            [email protected]; 
        dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
These are the Authentication-Results headers received at a free Gmail account, not a Google Apps account. I'm not sure if they use the same authentication rules, but it appears to me that as applied by the Gmail receiving servers:
  • SRS rewriting is required for SPF to pass.
  • If the DKIM signing isn't damaged, DMARC passes when Fastmail alias redirection is used, whether or not SRS is active.
  • If SRS rewriting is used, both DKIM and SPF pass, and DMARC passes.
Am I misinterpreting how Gmail is reporting the DMARC results?

Bill
n5bb is offline   Reply With Quote
Old 1 May 2016, 11:29 PM   #6
lane
Cornerstone of the Community
 
Join Date: Dec 2005
Location: Kars, NB, Canada
Posts: 703
Quote:
Originally Posted by n5bb View Post
Am I misinterpreting how Gmail is reporting the DMARC results?
No, you are correct so far as you go. But to pass DMARC you need at least one of the following to be true:

(a) a pass on SPF, or,
(b) a pass on DKIM

AND

you need the domain which passed on SPF or on DKIM to be "aligned" with the "From" address.

In the situation I was addressing, there was no DKIM or it failed because the forwarder did not preserve it, and secondly, although the SRS rewritten envelope sender passes SPF, it is no longer aligned with the "From" address. In that particular case, DMARC fails and the recommended action might be taken, e.g., p=reject.

In fact, DMARC will fail even if the "From" address would have passed SPF (because, for example, the forwarder is on the "From" domain's list of allowable servers), if that domain is different from the SRS rewritten domain. See the thread I started here.
lane is offline   Reply With Quote
Old 2 May 2016, 04:50 AM   #7
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,615
Thanks. I think I have finally waded through the RFC's to understand the following:
  • The SPF test must be performed on the SMTP "MAIL FROM" authentication domain (the first SMTP command after HELO/EHLO) for DMARC.
  • Each DKIM test provides it's own authentication domain. There may be more than one DKIM signature in the message.
  • DMARC requires that the regular header "FROM" domain align with either (or both) of:
    • SPF passing authentication domain (MAIL FROM)
    • DKIM passing authentication domain (d=xxx) for any DKIM signature found in the message.
  • The SPF and DKIM domain alignments can be strict (exact domain names) or relaxed (subdomains allowed), based on tags in the DMARC DNS record.
So in my last example (shown below), the DKIM authentication domain is "header.i=yahoo.com", while the SPF authentication domain is "smtp.mailfrom=... srs.messagingengine.com". Since DMARC is checking alignment to "header.from=yahoo.com", the DKIM pass can be used to pass DMARC, but the SPF pass will be ignored due to alignment mismatch.
Code:
Authentication-Results: mx.google.com;
         dkim=pass [email protected];
         spf=pass (google.com: domain of [email protected] designates 66.111.4.29 as permitted sender)
             [email protected];
         dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
So back to the original problem. You need to be sure that DKIM passes so that forwarding works, since SRS rewriting for SPF doesn't work with DMARC. It appears that you have fixed the DKIM problem, and there is no reason to apply SRS for this forwarding situation, since it will be ignored by DMARC.

Bill

Last edited by n5bb : 25 Dec 2016 at 04:01 AM. Reason: Corrected next to last sentence: "...SRS rewriting for SPF doesn't work with DMARC"
n5bb is offline   Reply With Quote
Old 2 May 2016, 08:14 AM   #8
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 594
Quote:
Originally Posted by n5bb View Post
...So back to the original problem. You need to be sure that DKIM passes so that forwarding works, since SRS rewriting for SPF doesn't work with DKIM. It appears that you have fixed the DKIM problem, and there is no reason to apply SRS for this forwarding situation, since it will be ignored by DMARC.

Bill
Thanks Bill & lane.

I thought I'd fixed the DKIM problem.
Then I discovered that Google Apps had changed the length of their DKIM records. The record is now too long to fit into the DNS record field back at the host.
I've tried various concatenation syntaxes but each has failed so far.
So now I have a ticket lodged with Registrydomains asking how I fit the long DKIM record into the host field.
gardenweed is offline   Reply With Quote
Old 2 May 2016, 08:38 AM   #9
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,350
Had this same problem with DKIM length in this thread:

http://www.emaildiscussions.com/showthread.php?t=71696
FredOnline is offline   Reply With Quote
Old 2 May 2016, 08:41 AM   #10
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 594
Quote:
Originally Posted by FredOnline View Post
Had this same problem with DKIM length in this thread:

http://www.emaildiscussions.com/showthread.php?t=71696
Thanks FredOnline.
I read that thread already.
Then followed up with various searches as to how to concatenate records.
So far no luck in getting it working.
Did you manage to concatenate your DKIM sig successfully?
(You appear to have solved the problem by changing domain registry.)
gardenweed is offline   Reply With Quote
Old 2 May 2016, 02:00 PM   #11
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,615
I posted on that thread how you should be able to concatenate the DNS records. But I haven't tried this, since I use Fastmail to publish my domain DNS records, and DKIM is automatically set up. If you have an Enhanced or greater account, you might consider letting Fastmail manage your DNS records.I find it very easy and flexible.

Bill
n5bb is offline   Reply With Quote
Old 2 May 2016, 02:33 PM   #12
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 594
Quote:
Originally Posted by n5bb View Post
I posted on that thread how you should be able to concatenate the DNS records. But I haven't tried this, since I use Fastmail to publish my domain DNS records, and DKIM is automatically set up. If you have an Enhanced or greater account, you might consider letting Fastmail manage your DNS records.I find it very easy and flexible.

Bill
Yes thanks Bill I did go to that link and a few others.
I tried the suggested syntax and some variations thereof to no avail.

I do have an enhanced account.
For the domain name that I use with FM, I let FM manage the DNS.
Let's call this DN2. DMARC etc appears to work fine with DN2.

The domain name I'm having problems with, lets call it DN1, is used with a Google Apps account, but registered with Registrydomains. The Google Apps account provides the email service for this domain.
If FM were to manage the DNS records, would this upset the email provided by Google Apps using that domain name? And would it make sense to do this?
(The web site associated with that DN1 is hosted at yet another provider.)
gardenweed is offline   Reply With Quote
Old 2 May 2016, 03:36 PM   #13
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,615
DKIM requires a public/private secure key pair. The private key is used by the SMTP sending server, while the public key can be published publicly by any DNS host. So if you had a private key installed on someone else's SMTP sending server, you should be able to post the public key using the Fastmail DNS hosting feature. See:
https://www.fastmail.com/help/receiv...-advanced.html

Bill
n5bb is offline   Reply With Quote
Old 10 May 2016, 11:48 AM   #14
aussieboykie
Essential Contributor
 
Join Date: Dec 2002
Location: Sydney, Australia
Posts: 472
The help for this topic includes the following statement:

We don't recommend enabling SRS unless you need to (i.e. emails aren't being forwarded correctly).

I'd be interested to know why? I route a copy of all incoming mail for my (numerous) aliases to one or more external addresses (e.g. GMail, Outlook.com). Should I be changing all of these to use SRS rewriting?

Regards, AB
aussieboykie is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 09:56 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy