Moin, to share some closure on this with the rest of the list; What was ultimately the issue was an RFC8616 based DKIM-Signature header, i.e., containing UTF-8 encoded fields (in this case, even though there were no non-ascii characters in them). While rspamd on my machine did not have an issue, forwarding recipients were unable to parse this.
Incidentally, it seems like dkimpy also is unable to parse such headers, even though the email modules decodes them just fine. I added support to test for this to email-security-scans.org, i.e., if your DKIM header contains UTF8 encoded fields, it now shows a warning. With best regards, Tobias On Mon, 2024-06-03 at 23:11 +0200, Tobias Fiebig via mailop wrote: > Moin, > got it, thx. > > With best regards, > Tobias > > On Mon, 2024-06-03 at 21:36 +0200, Tobias Fiebig via mailop wrote: > > Moin, > > > > tl;dr: Could someone do https://email-security-scans.org from > > meta.com, > > storing mails on the server and sharing the link with me to help me > > debug a deliverability issue? > > > > I just got a report in that a user's mail bounced when writing from > > '@meta.com' to an alias on a domain I operate, which forwards to a > > third party hosting on zoho.com. > > > > The NDR is for a DMARC reject; In my logs, I see that: > > - ARC verification already failed on inbound with a bh mismatch > > - DKIM seems to have passed, though, at least according to the logs > > (with a selector hinting at it being for Q4 2021) > > > > zoho.com then rejects with "550 5.7.1 Email rejected per DMARC > > policy" > > > > Given that SPF obviously fails, the question is why DMARC does no > > longer validate when hitting zoho.com; I currently suspect that > > there > > was either a tmp-error for the lookup of the DKIM key, or that > > meta/outlook.com signs some headers that may be affected during a > > normal forward. Also, there are no issues with other DKIM signing > > p=reject domains being forwarded via the setup. > > > > To help me debug this; Is there anyone from meta / with an account > > under meta.com on the list who could do a test on > > https://email-security-scans.org (ideally checking the 'store my > > mails' > > checkbox)? > > > > (Already asked into the direction of the user as well, but this is > > a > > multi-hop conversation through a user of mine; And it somewhat bugs > > me > > and i'd like to resolve this asap. ;-)) > > > > With best regards, > > Tobias > > > -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tob...@fiebig.nl _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
