We have Exim running as our MTA. When we forward mail for a user, we use
SRS to ensure we do not violate the SPF policy of the sending domain.
Sometimes messages are rejected from recipients.
550-5.7.26 DMARC policy. Please contact the administrator of omnis.com
domain
550-5.7.26 if this was a legitimate mail. Please visit
550-5.7.26
https://support.google.com/mail/answer/2451690 to learn about
the
550 5.7.26 DMARC initiative.
In researching why this occurs, we have found some domains publish DMARC
policy with instructions to reject.
DMARC says either SPF must pass or DKIM must pass, along with alignment for
the message to be accepted.
We do not alter the message content when forwarding, no changing subject,
no adding footers - nothing.
SPF will not align since we modify the message envelope.
We have found that some domains that have DMARC enabled use SPF, but do not
sign their mail using DKIM at all.
Messages we forward fail SPF alignment; and no DKIM signature from the
original sender means fail fail fail.
What are possible solutions to this problem? Other than contacting every
sending domain that does this and try and get them to sign their mail.
We have been thinking of doing this (got the idea from Wikipedia).
1) If the domain in the from header publishes DMARC record
2) Do they have DMARC set to reject?
3) The message has no DKIM signature
4) The message passes our own SPF check
If those four conditions are met we were going to change the from header
from:
From: Happy User <user@???>
To this:
From: Happy User <user@???>
Not happy to have to do something like this, but it will get the message
past systems that are doing the DMARC check by making the sender address
invalid and our SRS/SPF will still pass inbound spam checks with our own
domain.
We would also have to ensure there is a Reply-To: header so a user could
reply to the original sender.
Any comments on doing something like this? Is it stupid or perhaps there
is a better way?