View Single Post
Old 7 Jan 2018, 06:25 AM   #3
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
Arrow DMARC, SPF, DKIM, and ARC

You are discovering the results of attempts to reduce spam by blocking messages which are not authentic.

DMARC is a method for the owners of domains to specify which email servers are allowed to send messages with From set to an address at their domain.
https://en.m.wikipedia.org/wiki/DMARC
The SpamAssassin rule ME_DMARC_REJECT is a custom rule added by Fastmail to classify as spam messages where the published DMARC policy for a domain is Reject and the message fails the DMARC test when received at the Fastmail servers. In many (but not all) cases, forwarding causes DMARC authentication to break. Mailing lists will cause DMARC authentication to break unless certain steps are taken by the mailing list software.
DMARC effects on forwarding & mailing lists
The number of domains which publish DMARC records increased greatly during 2017, so it's possible that the original From domains of the messages you are noticing might have starting using DMARC or they have recently changed to the reject policy.
https://dmarc.org/2017/12/number-of-...dmarc-triples/

To check this on a specific email you have received, look at the Raw Message for the From header. Find the domain of the From sender (after the @ but ignoring any subdomain) and see what this tool shows you:
https://dmarcian.com/dmarc-inspector/
The DMARC p tag specifies the policy to be applied if the DMARC test fails. The messages you describe should be from a domain which specifies the reject policy. DMARC will fail if both of these tests fail:
  • SPF (Sender Policy Framework): The sender domain specifies which server IP addresses are allowed for sending email from their domain.
  • DKIM (DomainKeys Identified Mail): The message is sent with an encrypted signature which guarantees that some parts of the message were not modified in transit.
  • DMARC also requires that there is an alignment between the From address and the SPF or DKIM mechanisms.
Forwarding messages causes SPF to fail due to DMARC alignment. DKIM signing will still pass as long as the portions of the message which are signed (checked by the encrypted signature) are not altered by the forwarder.

ARC (Authenticated Received Chain) is a new method of authentication which is not broken by forwarding. However, it requires email systems to use the new mechanism, and it is still being tested at this time. Fastmail currently adds ARC- headers to received messages.

Look at the Authentication-Results header. Fastmail adds this after analyzing these various authentication measures, allowing you to see the results of SPF, DKIM, DMARC, and other authentication checks. My guess is that the forwarding system is altering the message, causing DKIM to fail. Since forwarding also causes SPF to fail, DMARC will fail.

Bill
n5bb is offline   Reply With Quote