EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 3 Jan 2018, 01:08 AM   #1
Misha
Senior Member
 
Join Date: Nov 2004
Posts: 178
Forwarded email causing false spam positives from ME_DMARC_REJECT?

Hi! I wonder if anyone else is seeing this problem:

My primary email address is an address that is forwarded to my fastmail account. I know this is not ideal, but it's worked okay for me for a long time.

It seems that a lot of emails going to this address are being incorrectly marked as spam because they trigger ME_DMARC_REJECT. (Like - several a day)

I *think* this behavor only started recently (the past few days?) but I am not sure.

I've contacted fastmail support. But I thought I'd try here, too.

Has anyone else seen this problem? Any reason this might have started happening recently? Any advice on how to fix it?

Thanks!!
Misha is offline   Reply With Quote

Old 3 Jan 2018, 01:10 AM   #2
Misha
Senior Member
 
Join Date: Nov 2004
Posts: 178
(ps - i know it's not ideal to forward emails in this way. I'm not sure I have other options. I'd like to keep using this address, but it's not at a domain I own. Setting up a pop link, unless I'm mistaken, means I'll only get my email every few minutes, which doesn't really work for me...)
Misha is offline   Reply With Quote
Old 7 Jan 2018, 06:25 AM   #3
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
Arrow DMARC, SPF, DKIM, and ARC

You are discovering the results of attempts to reduce spam by blocking messages which are not authentic.

DMARC is a method for the owners of domains to specify which email servers are allowed to send messages with From set to an address at their domain.
https://en.m.wikipedia.org/wiki/DMARC
The SpamAssassin rule ME_DMARC_REJECT is a custom rule added by Fastmail to classify as spam messages where the published DMARC policy for a domain is Reject and the message fails the DMARC test when received at the Fastmail servers. In many (but not all) cases, forwarding causes DMARC authentication to break. Mailing lists will cause DMARC authentication to break unless certain steps are taken by the mailing list software.
DMARC effects on forwarding & mailing lists
The number of domains which publish DMARC records increased greatly during 2017, so it's possible that the original From domains of the messages you are noticing might have starting using DMARC or they have recently changed to the reject policy.
https://dmarc.org/2017/12/number-of-...dmarc-triples/

To check this on a specific email you have received, look at the Raw Message for the From header. Find the domain of the From sender (after the @ but ignoring any subdomain) and see what this tool shows you:
https://dmarcian.com/dmarc-inspector/
The DMARC p tag specifies the policy to be applied if the DMARC test fails. The messages you describe should be from a domain which specifies the reject policy. DMARC will fail if both of these tests fail:
  • SPF (Sender Policy Framework): The sender domain specifies which server IP addresses are allowed for sending email from their domain.
  • DKIM (DomainKeys Identified Mail): The message is sent with an encrypted signature which guarantees that some parts of the message were not modified in transit.
  • DMARC also requires that there is an alignment between the From address and the SPF or DKIM mechanisms.
Forwarding messages causes SPF to fail due to DMARC alignment. DKIM signing will still pass as long as the portions of the message which are signed (checked by the encrypted signature) are not altered by the forwarder.

ARC (Authenticated Received Chain) is a new method of authentication which is not broken by forwarding. However, it requires email systems to use the new mechanism, and it is still being tested at this time. Fastmail currently adds ARC- headers to received messages.

Look at the Authentication-Results header. Fastmail adds this after analyzing these various authentication measures, allowing you to see the results of SPF, DKIM, DMARC, and other authentication checks. My guess is that the forwarding system is altering the message, causing DKIM to fail. Since forwarding also causes SPF to fail, DMARC will fail.

Bill
n5bb is online now   Reply With Quote
Old 7 Jan 2018, 08:59 PM   #4
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
*** Ignore this post. As lane pointed out, I was not thinking straight when I posted this ***
If (and this is what I suspect) your primary email address is from a domain you do not own, you may have no good way to resolve the problem. You will not be able to change the SPF/DKIM/DMARC settings for the domain. Given that, you can only try to make FastMail ignore the spam protections. Possibly, whitelisting specific senders might be a partial fix, but you are likely out of luck.

A possible amelioration for this situation is to have a real forward (rewriting all the headers) instead of the redirect type forward used in the past. As far as I know, there are very few services that currently support this. Also, this would obscure the original sender.

The real lesson is that you should not use email addresses from domains you do not own for important emails. The costs of having your own domain are negligible, and allow appropriate control when issues such as you describe occur.

Last edited by BritTim : 8 Jan 2018 at 08:37 AM.
BritTim is offline   Reply With Quote
Old 8 Jan 2018, 06:05 AM   #5
Deano
Junior Member
 
Join Date: Aug 2016
Posts: 4
I own my own domain, not hosted with Fastmail. Owning it with hosting by Fastmail would cancel out the reason for owning it in the first place. If I understood the acronymns like ME DMARC , I might be able to figure out what I should do about mail going to the wrong folder, but I might also be a Techie with alot bigger paycheck than the one I'm getting now.
Deano is offline   Reply With Quote
Old 8 Jan 2018, 08:03 AM   #6
lane
Cornerstone of the Community
 
Join Date: Dec 2005
Location: Kars, NB, Canada
Posts: 702
Quote:
Originally Posted by BritTim View Post
If (and this is what I suspect) your primary email address is from a domain you do not own, you may have no good way to resolve the problem. You will not be able to change the SPF/DKIM/DMARC settings for the domain.
BritTim, I don't think this addresses the OP's stated problem. I believe he has a chain like this:
...various senders =>
......his primary email address hosted elsewhere => (forwarded)
.........his Fastmail account

It is the original senders which are not validated at Fastmail, not his primary email's domain. This is because the servers at "elsewhere" are not, of course (at least mostly), valid servers for the various original senders, using SPF. And either the original senders using DMARC and giving trouble are not using DKIM (unlikely, but I've seen it happen), or much more likely, the forwarding server breaks DKIM by modifying the message or a critical header. Outlook.com as a forwarder definitely breaks DKIM; Office 365 will preserve it if your administrator sets things up for you, but also breaks it if you just tell it, as a user, to forward email. I don't know what other mail providers also break DKIM, I know gmail or G Suite does not (neither does Fastmail).

So there is nothing the OP could do on his domain setup even if he owned it (which is not the case except for Deano's post) to help things. Whether he can tinker with the forwarding account is doubtful.

However, Fastmail just adds 8 to the spam score if DMARC fails and the sender's domain specifies "p=quarantine", or 15 if DMARC fails and the sender's domain specifies "p=reject". These can be subtracted off if you don't like Fastmail's approach here - someone posted a few months ago a "how-to" to do that.
lane is offline   Reply With Quote
Old 8 Jan 2018, 08:11 AM   #7
lane
Cornerstone of the Community
 
Join Date: Dec 2005
Location: Kars, NB, Canada
Posts: 702
Here is the link for the "how-to" to ignore a DMARC failure: http://www.emaildiscussions.com/show...2&postcount=12.

Actually, the author doesn't subtract 8 or 15, he just adjusts the spam cutpoint appropriately when DMARC fails.
lane is offline   Reply With Quote
Old 8 Jan 2018, 08:34 AM   #8
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
DMARC fights phishing

Quote:
Originally Posted by BritTim View Post
...Possibly, whitelisting specific senders might be a partial fix, but you are likely out of luck...
Address book whitelisting won't work for this purpose. If the message fails authentication I believe you will always see this header:
Code:
X-Spam-known-sender: no
In other words, address book whitelisting doesn't affect the X-Spam-known=sender header (which causes the spam filter to be bypassed) when the message appears to be spoofed (not sent by the From domain). This protects you against senders spoofing the From address.

The reason for using DMARC and similar techniques is that some phishing emails appear to the recipient to be identical to true messages from the desired sender, but one or more links in the message go to a phishing server which also emulates the normal website. So by bypassing these tests you open yourself up to malware attacks.

Bill
n5bb is online now   Reply With Quote
Old 9 Jan 2018, 01:35 AM   #9
Misha
Senior Member
 
Join Date: Nov 2004
Posts: 178
Thanks for all this super-useful info! With some help from the folks at fastmail and the folks at the forwarding domain, we were able to sort this out!

This was all beyond my technical expertse, but my understanding is that the forwarding domain had set up something that broke dmarc for *some* domains (including lastpass, the example used below_. They wrote:

Quote:
We recently implemented something called postsrsd with postforward to solve an SPF problem with mail forwarding; however, with certain hosts this has seemingly broke DMARC validation... ). We used lastpass as a test and were able to recreate the issue. Reverting gregtest@XXX.net back to the old forwarding system fixed the DMARC validation, but now SPF fails (with lastpass) - despite SPF failing mail is still delivered and not completely rejected, which is a little better. I reverted your account to the old method now.
Misha is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:48 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy