Dear Peter,
I do appreciate your 5 recommendations.
So far I have DKIM, DMARC and others such as Postgrey Anti-Spam and SPF
in place.
I am planning to implement ARC as I look to also implement mailing list.
But I was not aware of SRS.
Finally, I am not forwarding any mail so far.
Regards,
Tshimanga
On 2/8/24 04:09, Peter via Postfix-users wrote:
On 8/02/24 14:23, Alex via Postfix-users wrote:
I'm hoping I could ask for some advice. We have a pretty
large percentage of users who forward mail through our systems to
personal Gmail accounts. Sometimes it is mail from bulk senders like
mailgun and lanyon/cvent.
Before answering your actual questions I'll give a quick note of
caution. When you forward mail that means you will also forward SPAM.
To at least some servers this makes it at least appear as if SPAM is
originating from your server and could result in your servers' IP
address(es) being added to DNSRBLs. That said...
Would ARC help here,
It won't hurt, and Google seems to be advising to use it for
forwarding. ARC is basically telling the recipient's MTA that your
MTA legitimately received the message and indicating whether it passed
or failed SPF, DKIM and DMARC to your server. Do note that ARC
requires that the recipient server somehow trusts your server so it
does mean that you're taking some amount of responsibility for the
messages you're forwarding and the quality of those messages could
determine how much other servers will accept your ARC results.
or is DKIM enough for DMARC alignment with forwarded messages?
It can be, but this depends entirely on the message being properly
DKIM signed by the original sender, something which is entirely out of
your control, so it's safe to say that not all messages will pass
DMARC because of DKIM because not all senders will have DKIM properly
configured, or configured at all. Also DKIM relies on you not
altering any of the message headers or body used for the signature, so
your own server could potentially invalidate the DKIM signature even
if it is initially valid. You can sign the messages yourself but that
won't help for DMARC alignment because DMARC requires a DKIM signature
that is signed by the From: header domain in order to accept it.
Perhaps ARC will help in those cases where DKIM fails with forwarded
messages?
Again, it might, it depends on the recipient MTA.
Is it used on the sending server or on the relay?
DKIM has to be signed by the original sender, ARC is signed by the
relay (you).
Is it installed using a milter alongside openSPF/DKIM using openarc?
It can be, yes.
I've also thought about implementing SRS over the years, but it has
its own problems, so I wondered if people were still implementing that?
SRS is simply changing the envelope sender so it aligns with one that
you control. It allows SPF to pass but won't help with DMARC because
your domain will not align with the From: header in the message.
My recommendations are as follows (other people's recommendations will
vary):
1. Don't forward mail.
2. If you must forward mail then relay it using a different IP
address to mail that originates from you, that way if the IP gets
added to a DNSRBL it at least should hopefully not affect the mail
that you originate.
3. SPAM-filter mail before you forward it, be aggressive with this as
you really don't want to be forwarding SPAM. Note that some SPAM will
still get through.
4. ARC sign your forwarded mail.
5. Use SRS on forwarded mail.
This is in addition to all the other things you do for mail that you
originate (SPF, DKIM, DMARC, etc).
Good luck,
Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
--
TSHIMANGA Minkoka
+243 814443113
tshik...@tshimix.cd
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org