On 10.10.21 10:43, Ken Peng wrote:
I found their forwarding policy is somewhat strange.
They changed the "to:" header address in the forwarded email to the
destination address.
For example, u...@foo.com writes to t...@5x2.de, this mail will be
forwarded to d...@gmail.com
When gmail receives this email, the "to:" header is d...@gmail.com, rather
than t...@5x2.de.
Thus this forwarding breaks DKIM, since most DKIM have "to:" header
encrypted.
And, 5x2.de does a valid SRS, so SPF has no contribution for DMARC.
When DKIM fails, the final DMARC fails too.
What google shows in their header:
SPF: PASS with IP 136.243.126.xx
DKIM: 'FAIL' with domain foo.com
DMARC: 'FAIL'
So I am thinking 5x2.de should improve this for a better forwarding
solution.
definitely.
If they want to provide forwarding, they should not break it.
by rewriting headers they are explicitly doing something that breaks
forwarding, which is especially silly when they were able to do SRS in order
not to break SPF.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
