I'm using a fair bit of email forwarding on a number of domains and the latest p=reject policy of AOL is causing me some problems and also a lot of confusion. My understanding of DMARC is that it's based on DKIM & SPF with a reporting layer. I understand that SPF is a problem with forwarding but as long as the SPF is set to ~all soft fail then that isn't a show stopper. I also thought DKIM could pass through forwarding without problems as long as you don't mess with the headers much. However I'm finding that certain emails from AOL being forwarded by MailGun are failing DMARC when they land at GMail. MailGun say its due to a sender/from mismatch error. Can anyone elaborate on whether email forwarding is doomed as DMARC takes hold or are MailGun just not forwarding properly?
Because DMARC only requires that you pass authentication verification and align domains for either SPF or DKIM, any messages that are DKIM neutral and rely on SPF authentication will most likely fail DMARC when forwarded.
Forwarding is a bit of an edge case within DMARC. Forwarding happens when an email receiver forwards your email to another recipient. Log in on app.dmarcanalyzer.com and go to “DMARC aggregate reports” → “Per sending source” to see detailed statistics about your forwarded emails.
Unlike SPF, DKIM is designed to survive automatic forwarding. The DKIM signature (d=) is attached to the body of an email, while SPF is attached to the 'Return-Path header' of an email. With automatic forwarding, in general, the body of the email is not touched. Therefore, DKIM can survive automatic forwarding.
Domain-based Message Authentication, Reporting, and Conformance, or DMARC, is a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing.
I think the problem you are coming accross is not the forwarding, but the DKIM alignment. Yes, SPF will Fail, but DKIM should Pass, but the DKIM Alignment might not pass. DMARC requires alignment to be strict or relaxed, based on your policy. You can read up more on alignments here: Identifier Alignments
There are testing tools like sending an email to [email protected]
that will show the alignment on the results, but it's a paid feature.
Since this is a problem, there is a new specification in the works called "ARC" the intent of this is to solve this very problem, you can read about that here: ARC Spec
I asked Mailgun support about this problem and was not given any helpful answers. However, the solution is actually in their documentation:
Note If you forward messages to another email address, then you should disable click tracking, open tracking and unsubscribes, by editing your domain settings in the Control Panel. If these features are enabled, the content of each message is modified by Mailgun before forwarding, which invalidates the DKIM signature. If the message comes from a domain publishing a DMARC policy (like Yahoo! Mail), the message will be rejected as spam by the forwarding destination.
https://documentation.mailgun.com/en/latest/user_manual.html#routes
So, I turned off all of those features on my main domain which I use to receive mail and that solved the DMARC bouncing. If you want to use any of those features, you will need to setup a sub-domain for outgoing mail.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With