Am 18.09.2015 um 16:23 schrieb Sebastian Nielsen:
Thats exactly what im talking about, this DMARC Strict Identity Alignment. If a host only publishes a SPF record (no DKIM record), and sets up DMARC with Strict Identity Alignment,
it's most probably not a very good DMARC setup
then you will need to rewrite or encapsulate the From: & MAIL FROM adress on any forwarded email to match your own server instead.
I would simply respect the configuration and deny forwarding. Historic SPF and DKIM for them self fail to avoid unauthorized usage of a sender domain. For that reason DMARC is the successor. Nobody SHOULD today reject a message that does not authenticate by SPF *or* DKIM. Even if the sender domain don't publish a DMARC record.
The best thing to do as I said, is to encapsulate the mail in a new message/rfc822 container, where the outer container will have your domain and your DKIM signature, while the inner container contains the original email, and where the outer subject contains "Fwd:" in addition to the original subject. Just like you pressed "Forward" in your email client.
I would prefer to honor the DMARC policy. If a broken policy deny forwarding, it's in the first place a sender policy. Only the receiver may decide to override the senders policy and accept forwarded messages not authenticated by DMARC. This thread tend to focus more on DMARC then postfix. I encourage interested readers to subscribe http://lists.dmarc.org/mailman/listinfo/dmarc-discuss Andreas
