Rob,
Generally if you need for messages to pass DMARC check when forwarding,
you need to rewrite the From header field to make it align. Hacking up
an example from the IETF DMARC mailing list, they would rewrite the
address to something like:
From: Happy User <user=40exmaple.com@???>
Where of course you would replace dmarc.ietf.org with your own domain or
one you control. Optionally you can put a DMARC record on that domain to
collect failure reports.
This is rather ugly, so they tend to do this only for messages coming
from domains with restrictive DMARC policies.
-Jim
On 9 Mar 2021, at 4:50, Rob Gunther via Exim-users wrote:
> We have Exim running as our MTA. When we forward mail for a user, we
> use
> SRS to ensure we do not violate the SPF policy of the sending domain.
>
> Sometimes messages are rejected from recipients.
>
> 550-5.7.26 DMARC policy. Please contact the administrator of omnis.com
> domain
> 550-5.7.26 if this was a legitimate mail. Please visit
> 550-5.7.26 https://support.google.com/mail/answer/2451690 to learn
> about
> the
> 550 5.7.26 DMARC initiative.
>
> In researching why this occurs, we have found some domains publish
> DMARC
> policy with instructions to reject.
>
> DMARC says either SPF must pass or DKIM must pass, along with
> alignment for
> the message to be accepted.
>
> We do not alter the message content when forwarding, no changing
> subject,
> no adding footers - nothing.
>
> SPF will not align since we modify the message envelope.
>
> We have found that some domains that have DMARC enabled use SPF, but
> do not
> sign their mail using DKIM at all.
>
> Messages we forward fail SPF alignment; and no DKIM signature from the
> original sender means fail fail fail.
>
> What are possible solutions to this problem? Other than contacting
> every
> sending domain that does this and try and get them to sign their mail.
>
> We have been thinking of doing this (got the idea from Wikipedia).
>
> 1) If the domain in the from header publishes DMARC record
> 2) Do they have DMARC set to reject?
> 3) The message has no DKIM signature
> 4) The message passes our own SPF check
>
> If those four conditions are met we were going to change the from
> header
> from:
>
> From: Happy User <user@???>
>
> To this:
>
> From: Happy User <user@???>
>
> Not happy to have to do something like this, but it will get the
> message
> past systems that are doing the DMARC check by making the sender
> address
> invalid and our SRS/SPF will still pass inbound spam checks with our
> own
> domain.
>
> We would also have to ensure there is a Reply-To: header so a user
> could
> reply to the original sender.
>
> Any comments on doing something like this? Is it stupid or perhaps
> there
> is a better way?
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
