Authenticated Received Chain (ARC)


#1

Hi Everyone,

So I have one user that keeps getting SPF error message, this turns out to be a red herring and actual issue is user is forwarding email to another domain.

When doing this it breaks
More documentation here:

Return Path ARC

My question, How can I set this up on main in a box? the example finance@company.com is forwarded to finance@accountingcompany.com but everyone sending emails to finance@company.com is getting bounced away

550 5.7.1 Recipient address rejected

Kind Regards
Scott.


#2

Set it up as a filter in Roundcube.


#3

Hi Alento,

Have you seen this issue before? I think the forward will be setup in outlook or something so happy to test this. Or is this a known fix? it sounds so simple lol

Kind Regards
Scott.


#4

Yes. The forward must be set up in Roundcube as a filter. I will provide more details shortly.


#5

Does Roundcube do this in the background?

What kicks it to do the forward?

Do you have to log into Roundcube?


#6

Yes.

When an email is received and processed by Dovecot.

To set it up initially, yes.


#7

Hi,

So not sure if my first question was very clear, emails are being forwarding (and are setup as filter in roundcube). When sending mail, 3rd party system checks the DKIM and SPF etc and if fails (most email systems are checking this now) then rejects the email sending and “the forward” and so its failing the record check, alot hunting around on internet looks like this is a known issue and that’s why ARC.

Forward itself is working correctly.
but when forwarding, it breaks email validation " The problem with indirect mailflow" as talked about on the Return Path website.

Also see


#8

Why do I see failing SPF reports for some legitimate sources?

In some cases, an email provider may forward your email to another address. For instance, you send a newsletter to a customer and they forward it from their main mailbox to their Gmail account. While most email providers will properly preserve the from address and Return-Path address, others may rewrite it, causing a failure. While this may present a problem, it is limited to a small percentage. In addition, ISPs can still consider if a message has DKIM present in this case and allow it to pass. This is why it is important to have both SPF and DKIM passing on a domain.

FAQ:


#9

EXACTLY how? An alias in the admin area, or an identity in Roundcube?


#10

I recently tried it in both, but I have just removed from Admin page / Aliases and now its only in Filter “send message copy too” : user@theaccountant.co.uk

Have just tested and still getting same error message, I have mulled the data to remove most of personal information:

Reporting-MTA: dns; mail.domainblarblar.com
X-Postfix-Queue-ID: C87F41A106B
X-Postfix-Sender: rfc822; scott@testing.co.uk
Arrival-Date: Wed, 6 Mar 2019 13:40:49 +0000 (GMT)

Final-Recipient: rfc822; user@theaccountant.co.uk
Action: failed
Status: 5.7.1
Remote-MTA: dns; spamtitan2.ntssecure.com
Diagnostic-Code: smtp; 550 5.7.1 user@theaccountant.co.uk: Recipient address
rejected: Please see
http://www.openspf.net/Why?s=mfrom;id=scott%40customer.co.uk;ip=89.40.111.123;r=spamtitan2.ntssecure.com


#11

My users often forward their emails to another mailbox, how do I keep DMARC valid?

DMARC relies on SPF and DKIM. In the case of forwarding emails, SPF is likely to fail, in a DMARC sense, at the receiver. You are resending from your infrastructure and it is unlikely your sending IP is in the SPF record of the domain contained in the from header of the email. However there is no reason for DKIM to fail. For DKIM not to fail, you must ensure that your mail server does not drastically modify the message. Typically, the only modification that preserves DKIM is to add new email headers to the messages without touching the subject or the body of the message. Headers protected by DKIM should not be modified in any way, and the message should not be converted from one encoding to another.

https://dmarc.org/wiki/FAQ#My_users_often_forward_their_emails_to_another_mailbox.2C_how_do_I_keep_DMARC_valid.3F


#12

The problem is that you can’t always determine what an intermediate mail server is doing with the mails. I once sent a mail to three different addresses with forwarding set to a third address. The addresses sent to ended with the following domains.

outlook.com
yahoo.co.uk
blueyonder.co.uk

All three mails failed SPF when forwarded to a final destination. But the outlook one failed DMARC as well.

Checking the outlook headers themselves showed the inbound mail had a DKIM and SPF pass. But the mail saved to the Outlook server had been modified between the DKIM check and forwarding it on to the final destination (I compared the copy of the mail on the outlook server with the sent mail).

Google Apps for business can be another pain as they add any automatic disclaimers to forwarded mails, which again breaks DKIM, although this is typically the only change that Google makes.

Someone needs to go back to the email specs.


closed #13

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.