The sender of this email cannot be verified - shield icon next to sender in webmail, icon on the left of message in message list
Question asked by Webio - 5/30/2023 at 2:26 AM

how does verification works for shield icon next to sender name? For each sender in webmail I have:

The sender of this email cannot be verified
with content:

DMARC Not available
SPF Not available
DKIM Not available
I'm using incoming gateway for spam checking so all checks on main smartermail server are disabled.

I'm also wondering why only few of sender icons in messages list (webmail) have their own icon. If I understand correctly icon for mail is being downloaded from a favicon from sender domain website? Even for message from SmartertTools ticket system has only "S" letter on green background instead of icon which probably should be downloaded by now (system after upgrade is working third day now). Can this be somehow related maybe to issue mentioned above?

3 Replies

Reply to Thread
Howell Dell Replied
Can you share what BUILD you are on?

I am afraid in your case, since you are using a third-party incoming gateway therefore SmarterMail can't validate the original sending IP Address against SPF, since from SmarterMail's prospective, the origination point is likely to be your third-party gateway. 

However, I would think that DMARC and DKIM should still be able to validate against the sending domain. What feature settings did you turn off to disable DMARC and DKIM?

To take advantage of maximum protections you need to use SmarterMail directly connected to the Internet without a third-party incoming gateway. And that is the way that I use it this way here. I have purchased all of the filtering options from SmarterTools to maximize the benefits.
Howell Dell Replied
As for DKIM, I don't see anything in the DOCs that would prevent you from using DKIM. However, I would think that trusted (whitelisted) IP addresses and IP bypasses features you cannot use to help avoid DKIM failures because you are using a third-party incoming gateway.

However, as you know DKIM is about digital signing of eMails, and as you know various fields in the eMail message have not been tampered plus only the originator's eMail Server should have the only copy of private key that was used to sign the eMail in the first place. As long as you have a reliable DNS Server that I would turn on this validation feature.

Of course, you should be using DKIM for yourself and/or customers' domains so that their outgoing eMails are secured. You have a create a private key inside SmarterMail for each domain then you or your customer's have to publish a _domainkey txt record.
Webio Replied
IMHO using also SmarterMail as incoming gateways with passing score (and all checks results) to main SmarterMail instance should also cover this situation.

EDIT: I would say that this could be something to consider by SmarterTools devs since this info is already there in message headers.

EDIT2: On the other hand this might be related to issue where all messages from incoming gateways which are whitelisted (but not for spam checks) are also skipping spam checks and even enabling SPF DKIM and DMARC checks on main SmarterMail server is not scanning incoming messages because they are delivered from whitelisted incoming gateways servers (but again whitelisted yes but whitelist spam checks set to no). Maybe fixing this issue will also fix this problem where all messages can't be verified.

Reply to Thread