Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
p.schuur@groupeonepoint.com  
#1 Posted : Thursday, November 5, 2020 8:00:48 AM(UTC)
p.schuur@groupeonepoint.com

Rank: Newbie

Groups: Registered
Joined: 6/25/2020(UTC)
Posts: 3
Netherlands

Thanks: 1 times
For a client we've implemented the DKIM plugin and use it only for inbound DMARC/DKIM/SPF validation.

The issue:

1. a mail is sent from sender.com to domain.com.
2. the mail is forwarded to recipient.com (in this domain, on this server, we use the plugin
3. DMARC p=reject for sender.com

The result:
09:25:45.069 start to dmarc check based on spf and dkim result ...
09:25:45.069 SmtpMailFromOrHeloDomain someone@domain.com
09:25:45.069 HeaderMailFrom someone@sender.com
09:25:45.069 query dmarc text from _dmarc.sender.com
09:25:45.069 v=DMARC1; p=reject; rf=afrf; pct=100; ri=86400
09:25:45.069 SPF Result: pass
09:25:45.069 DKIM Result: fail
09:25:45.069 evaluate alignment by v=DMARC1; p=reject; rf=afrf; pct=100; ri=86400
09:25:45.069 SPF Alignment Result: fail
09:25:45.069 DKIM Alignment Result: fail
09:25:45.069 DMARC Result: fail

So far so good: the HeaderMailFrom is preserved in the forward but the SmtpMailFromOrHeloDomain is changed to someone@domain.com and this causes DKIM to fail, which in turn causes DMARC to fail.

I understand this, but I also want to fix this. I've tried to add the sender's IP (in this case all messagelabs IP addresses) to the trustedIPAddresses and ignoredGatewayIPAddressesForSpfCheck. The SPF should work, but the trustedIPAddresses seem to get ignored.
The result:

Detect if message should be rejected by SPF result.
Detect if message should be rejected by DKIM result.
Detect if message should be rejected by DMARC result.
Dmarc result is fail, dmarc record is: v=DMARC1; p=reject; rf=afrf; pct=100; ri=86400
Check if sender or signer domain is in ignoreDomains list.
Check ignore item: domain.com

Reject message based on spfResultToReject/dkimResultToReject/dmarcResultToReject.

So the message is rejecten, even though the IP address of the sending server was mentioned in the trustedIPAddresses.

I could add domain.com to the ignoreDomains list, but I'm wondering if something else is wrong in my approach?

Thanks!
ivan  
#2 Posted : Thursday, November 5, 2020 6:43:41 PM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,075

Thanks: 9 times
Was thanked: 44 time(s) in 44 post(s)
Hi, could you send the log file and your configuration file to support@emailarchitect.net so that we can provide support directly?
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2020, Yet Another Forum.NET
This page was generated in 0.044 seconds.

EXPLORE TUTORIALS

© All Rights Reserved, AdminSystem Software Limited.