Dkim & Dmarc policy bounces from auto forwards
Problem reported by J Lee - 5/9/2021 at 7:34 AM
I am wanting to know about the settings in DKIM, especially the "All fields except those specified." 

I'm unable to find a good source to example how these excluded fields affect email delivery. 

These appear to be default settings.

Will changing any of these settings help with avoiding the auto-forward bounce that is caused by a dmarc policy and what are the pros and cons of adding or removing them.

Example: original sending gets a bounced email from the 3rd party bounce like gmail due to dmarc policy

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273

3 Replies

Reply to Thread
Douglas Foster Replied

Does the forwarding domain add content to the subject or body?  Content changes in transitare supposed to break signatures.

Only included headers affect the signature.  Only FROM is required.  All that matters at reception is whether the signature can be verified.

Do not include headers that will be added in transit such as Received.
J Lee Replied
It seems, either way, the receiving server forwards the email with or without DKIM there can be a DMARC violation and a bounce. 

Don't know if this exists but might be nice to have a setting in DKIM that forces the receiving server to use the original sending server's DKIM instead of inserting or changes it.

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273

Douglas Foster Replied
I am curious whether you are the originator, the forwarder, or the final recipient.   It sounds like you are the originator.    SPF validates that the immediately prior server is authorized to send on behalf of the MailFrom domain.   If it is forwarded, the original SPF is violated, so some systems use SRS (Sender Rewriting Scheme) or possibly complete replacement, to ensure that the forwarded message passes the final recipient's SPF check.  DKIM signatures validate after forwarding as long as the message is not modified.   The two most common sources of in-transit modification:
- a Spam filter which adds "Note:  This message is from an external source," or something similar, on reception.   This breaks the DKIM signature.
- a mailing list which adds the mailing list name to the subject line, and a header or footer to the body, for every message that it replicates.

Most mailbox providers do not add content in their spam filters, so that autoforwarding does not alter content..

AOL/Yahoo/Verizon is the only mailbox provider with a strict DMARC policy, so those accounts do not play well in mailing lists.

I view autoforwarding as a threat, because most spam filters only evaluate the adjacent server, not the entire Received chain.    Forwarding takes the safe and the dangerous and puts a common veneer on them all, allowing the bad guy to hide behind the forwarder's reputation.   Fortunately, our incoming forward volume is low.  

I have a dream of building a filter which examines the whole receive chain, since the vendors do not.   (Always happy to learn about exceptions to that generalization.)

Reply to Thread