I found their forwarding policy is somewhat strange. They changed the "to:" header address in the forwarded email to the destination address. For example, u...@foo.com writes to t...@5x2.de, this mail will be forwarded to d...@gmail.com When gmail receives this email, the "to:" header is d...@gmail.com, rather than t...@5x2.de. Thus this forwarding breaks DKIM, since most DKIM have "to:" header encrypted. And, 5x2.de does a valid SRS, so SPF has no contribution for DMARC. When DKIM fails, the final DMARC fails too. What google shows in their header:
SPF: PASS with IP 136.243.126.xx DKIM: 'FAIL' with domain foo.com DMARC: 'FAIL' So I am thinking 5x2.de should improve this for a better forwarding solution. Thanks.
