Hello, First - Benjamin, Steve's post is not a coincidence - he and I had a conversation about the specific issue I'm dealing with, which was super helpful, and I suspect sparked this blog post. I wanted to get a few more data points, which is why I posted here, but his blog post is indeed very useful.
The specific use case that is driving me to look into this in detail is this: I'm working with a government agency that is subject to the operational directive 18-01 that requires their domains to be at DMARC p=reject by mid-October this year. The specific set of mailings we're having trouble with are sending email on behalf of a government database of research information, where the subscribers are everyone from other government employees to university and private business researchers to the general public. From the subject lines I've seen, it looks like the content is new research information matching a subscriber's saved search query. The messages are being sent from Postfix, and they are fully aligned and pass both SPF and now DKIM, but we are seeing a lot of failures through forwarders, especially universities, in a much greater number than I see from other high volume sending domains that are authenticated at this level. I do not have access to any of the bounces or server logs, only the rua and ruf data. The admins for this system haven't historically worked very closely with us. They knew they needed to set up authentication, so they first set up SPF and moved the domain to p=quarantine. Then the postmaster for one of the universities whose researchers use this information a lot complained to them about messages in the spam folder, and they moved it back to p=none. We got them to add DKIM, and then they moved it to p=reject. Then they heard from other postmasters from yet other universities about messages that weren't being received, so they've moved it back to p=none again. Here's the headers they're signing: h=to:cc:from:subject:reply-to:Date The forensic data samples I have show that a number of the messages that fail seem to have injected different reply-to addresses, some of which clearly belong to mailing lists. I suspect what's happened is that researchers have subscribed their research group mailing lists to updates on specific topics from the government database, and this is changing the message in transit and breaking DKIM and DMARC. To a certain degree, I know we can't perfectly control systems that change messages and headers through lists and forwarders, but the number does seem larger than usual - something like ~25% from forwarding servers, where a similar volume sending domain from another part of the same agency that is sending newsletter type content and not research data tends to see an ~8% failure rate from forwarding servers. Also, I am sympathetic to the research need and want to help as many of these messages get delivered as possible, because I care about science. What I'm thinking is that the situation might improve if they can stop signing the reply-to: and possibly even the to: and cc: headers. Am I on the right track? Any other recommendations? Thanks, Autumn Tyr-Salvia tyrsalvia@gmail atyrsalvia@agari On Fri, Jul 20, 2018 at 8:02 AM, Kurt Andersen (b) <kb...@drkurt.com> wrote: > On Thu, Jul 19, 2018 at 10:18 PM, Autumn Tyr-Salvia <tyrsal...@gmail.com> > wrote: >> >> >> ... I have lately had some customers with greater-than-usual issues >> relating to ... messages that get forwarded, where the forwarding system is >> changing headers to the point that they break DKIM >> > > Aside from this being a great opportunity to employ ARC, can you tell us > which headers were being munged by the forwarder(s) or is that info lost in > the rejections? > > --Kurt > >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
