Forward messages to Gmail (postfix+SRS) has DMARC failure even though SPF and DKIM succeed

I run my own domain, but forward many email addresses to my gmail account. Recently, I started seeing a lot of messages marked by gmail as spam. I have SPF set for my outgoing email, and use SRS to rewrite the from address as my own. I also have DKIM set up, although from what I understand, this should not apply to forwarded email, only emails generated from my server (and indeed, I see that forwarded emails don't get DKIM added, but locally sent messages do). However, I see gmail reporting a DMARC failure, and I'm not sure what else I need to do (it happens primarily for two domains; emails coming from chase.com, and emails from gmail.com itself).

Here's a sample set of message headers:

Received-SPF: pass (google.com: domain of srs0=uwyv=es=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net designates 34.224.146.155 as permitted sender) client-ip=34.224.146.155;
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=66.175.222.108; helo=mail02.groups.io; [email protected]; receiver=<UNKNOWN>
MIME-Version: 1.0
From: Safta Chavi <[email protected]>
Date: Wed, 11 Nov 2020 18:50:36 +0200
Message-ID: <CAB5sq-wzZZ13bfOpxWo2n+AV_AQNBLim4x_9PNZfWz+n7Evi1g@mail.gmail.com>
Subject: [BS/RBS List] Oven recommendations? #question
To: undisclosed-recipients:;
Precedence: Bulk
Sender: [email protected]
Mailing-List: list [email protected]; contact [email protected]
Content-Type: multipart/alternative; boundary="000000000000de985705b3d798e3"

(to reduce spam, I replaced the address the email was sent to with MYADDRESSORIGINAL, the actual delivery address (my gmail) with MYADDRESS and the source with SENDER, but other than that, everything is unchanged)

gmail reports: SPF: PASS with IP 34.224.146.155 DKIM: 'PASS' with domain groups.io DMARC: 'FAIL' Learn more

What can I do to get DMARC to pass? I think I might need to use ARC somehow... but what exactly do I?

postfix config (same censoring):

$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = all
local_recipient_maps =
luser_relay = [email protected]
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, mikeage.net, localhost
myhostname = aws1.mikeage.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = local:opendkim/opendkim.sock
policyd-spf_time_limit = 3600
readme_directory = no
recipient_canonical_classes = envelope_recipient,header_recipient
recipient_canonical_maps = tcp:localhost:10002
recipient_delimiter = +
relayhost =
sender_canonical_classes = envelope_sender
sender_canonical_maps = tcp:localhost:10001
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_milters = local:opendkim/opendkim.sock
smtpd_recipient_restrictions = permit_sasl_authenticated reject_invalid_helo_hostname reject_unauth_destination reject_unknown_recipient_domain reject_unverified_recipient check_policy_service unix:private/policyd-spf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/letsencrypt/live/aws1.mikeage.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/aws1.mikeage.net/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

(The maps on 10001 and 10002 are postsrsd)

I answered similar question just yesterday. The root cause is the same, but the case is quite different.

The results:

Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=20140610 header.b=OmM+mk8Y;
       spf=pass (google.com: domain of srs0=uwyv=es=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net designates 34.224.146.155 as permitted sender) smtp.mailfrom="SRS0=Uwyv=ES=groups.io=bounce+69030+554308+4680414+8404272@mikeage.net";
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

From: Safta Chavi <[email protected]>

DMARC does not test if SPF or DKIM has passed, but one of them must both pass and be aligned with the domain used in the From: header. Here, SPF passed with mikeage.net and DKIM with groups.io. They are not aligned with i.e. do not match From: ... gmail.com, so DMARC fails.

In this case there are two nested forwardings that causes the problem.

The message is originally sent from Gmail to an Groups.io mailing list, and therefore the header From: is @gmail.com.
Gmail has probably DKIM signed the original message, but as mailing list may modify the body in order to add their unsubscribe information, it has DKIM signed the message again with groups.io.
Your server forwards the message again. It must change the envelope sender to pass the SPF test, but now the envelope sender has mikeage.net, which is not aligned anymore.

While Google could trust the ARC-Message-Signature and ARC-Authentication-Results directly from Groups.io, it's unlikely they would trust ARC from your own mail server.
Because of 2 & 3 DMARC alignment fails for both DKIM and SPF.

There isn't much you can do besides not to forward to Gmail. This way you can keep full control over adding exceptions for cases like this.

The mailing list could fix this by changing the From header, too, while rewriting the body.

Forward messages to Gmail (postfix+SRS) has DMARC failure even though SPF and DKIM succeed

Related

Recent Posts