Hi! Thanks for the insight - it was not only about forwarding mail to gmail (although I understand that this is a big use case being discussed here), but really about just delivering email to Google / GMail / Workspace.
The scenario I'm unsure about is the following: Envelope From is @amazonses.com SPF aligns to amazonses.com Header From is hoffrichter.no It is signed with a DKIM key under amazonses.com (with a valid signature), but doesn't have a valid signature from hoffrichter.no hoffrichter.no has a DMARC policy with p=none Will the mail be delivered to Google mail accounts if hoffrichter.no sends more than 5000 emails per day to Google? These are the new requirements, in case not everyone is aware of these: https://support.google.com/mail/answer/81126 This is producing quite a stir in the organization I'm working for :) Jens On Thu, Nov 2, 2023 at 12:29 PM Matus UHLAR - fantomas via Postfix-users <[email protected]> wrote: > > On 02.11.23 12:04, Jens Hoffrichter via Postfix-users wrote: > >Actually, I was just discussing these things - this is just regarding > >the new requirements from Google and Yahoo starting Feb 1st. > > >What happens, if a mail is sent from AmazonSES, with a signature key > >from amazonses.com, but with a header from set to something different, > >like hoffrichter.no > > > >Would that count as signed from Google? Would that be just an invalid > >signature, even though it is technically validly signed? > > google will require hoffrichter.no to have DMARC record and pass DMARC. > > mail will pass the DMARC if it has valid DKIM signature from hoffrichter.no > domain. > > It will also pass, if the envelope from: is also in hoffrichter.no domain > AND passes SPF check. > > Thus, combined with previously posted information, mail with DKIM can be > forwarded without issued (unless you modify its content), while forwarding > mail with only SPF will lead to troubles. > > >It is only tangentially interesting for signing from Postfix, but a > >very interesting topic, especially together with someone who has a lot > >of experience in dkim signing! > > Note that you can have multiple DKIM keys in DNS for mail sent from > different sources. > > This is often used with massmailing services that have separate DKIM key > (selector) than your organizations' mail server. > > > -- > Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Emacs is a complicated operating system without good text editor. > _______________________________________________ > Postfix-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
