|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
28 Apr 2016, 06:03 PM | #1 |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
FM DMARC Test Results for Gmail Alias
Background and Setup:
Google Apps email is used with my own domain set, eg as "gardenweed.com". SPF, DKIM, DMARC are all setup for this domain. Tests show they work correctly. DMARC policy is set as quarantine. In addition, the email address "joe@gardenweed.com.au" is setup in the Google Apps email account as a verified alias. FM account is used. DNS for my domain is hosted at FM, eg gardenweed.com.au SPF, DKIM, DMARC are all setup for this domain. Tests show they work correctly. DMARC policy is set as quarantine. Action: An email is written in Google Apps using the account gardenweed.com. The email "from" is selected to be the be the alias "joe@gardenweed.com.au" The email is sent to addresses at FM, Hotmail, Yahoo, Gmail. Yahoo, Gmail and Hotmail act on the DMARC policy. If DMARC authentication fails, the email should go to spam. FM carries out the DMARC authentication test, but takes no action at this stage. Results: In the above case I get the following results: • Yahoo passes DMARC and delivers email to inbox. • Hotmail passes DMARC and delivers email to inbox. The From headers are not aligned but Hotmail says the requirement is relaxed. • Gmail fails DMARC because the From headers are not aligned and Gmail filters the email to spam (gardenweed.com <> gardenweed.com.au ) • FM fails DMARC. It goes to inbox - this is understood. FM does not currently act on DMARC policy. Questions My questions are : 1) Why do Yahoo and Hotmail appear to accept the alias and pass DMARC authentication, whereas Gmail and FM say that the DMARC authentication has failed? 2) Does it make any sense that a verified alias in Gmail should pass a DMARC test? |
2 May 2016, 10:35 PM | #2 |
Member
Join Date: Feb 2016
Posts: 47
|
Either the SPF or DKIM Alignment must pass, even if the SPF is unaligned, your DKIM should be aligned and that would cause DMARC to pass.
Take a look at: Identifier Alignments Last edited by unlocktheinbox : 4 May 2016 at 12:49 AM. |
2 May 2016, 10:55 PM | #3 | |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
Quote:
|
|
4 May 2016, 05:48 AM | #4 |
Member
Join Date: Dec 2013
Posts: 54
|
Today I have incoming mail from a mailing list failing DMARC and tripping "ME_DMARC_QUARANTINE" which gives it a spam-score of 8 (is that rule new?)
It's failing because the list is breaking the dkim signature for these particular messages because they're being sent as html (gah, some people!) and the list is converting them to plain text before relaying them (I know this because they have an X-Converted-To-Plain-Text header). SPF passes but that's for the list's Return-Path and smtp.helo domain, not the domain in the From header, which means it doesn't count (I think? DMARC is hard). What can/should I do about this? Just keep marking them as Not Spam until my bayes learn and subtract enough from the score? (semi-hijacking this thread because there's already a few DMARC threads and I don't want to start another!) |
4 May 2016, 06:34 AM | #5 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
FastMail seems to have enabled several DMARC related features within the past few days. I just sent a message to Fastmail staff about an issue I have with disabling whitelisting and treatment of DMARC when a policy is not published. I think there are still some bugs, and I will point the Fastmail staff to your post so they can comment.
It seems to me that mailing lists (as currently popularly implemented) can cause both SPF and DKIM to fail, which means that sending messages from a domain which has a DMARC policy through such a mailing list server will cause the forwarded messages to be blocked when received at an email system which follows DMARC policy. Email lists might become obsolete unless they can be improved. SPF probably will continue to fail, but you would think that DKIM could be made to work properly if forwarding didn't rewrite the message body. Bill |
4 May 2016, 08:01 AM | #6 | |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
Quote:
I just rec'd an email that had these headers: X-Spam-Score: 0.0 X-Spam-known-sender: no, "Email failed DMARC policy for domain" It was to a subscribed list. The From address is Whitelisted (ie in my Address Book). The X-Spam-known-sender says "no", which appears to be incorrect. It ended up in my Inbox correctly, even though DMARC failed. |
|
4 May 2016, 09:15 AM | #7 |
Cornerstone of the Community
Join Date: Jul 2004
Location: Manila
Posts: 509
|
Yep, I have whitelisted contacts failing DMARC and receiving a spam score. Here is the raw message: "Email failed DMARC policy for domain". This is a work domain which has given us no problem up to now.
|
4 May 2016, 06:26 PM | #8 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
DMARC failure will cause whitelisting to be ignored. This is on purpose, since the spammer may be spoofing a From address. There were two recent problems in the past week or so which Fastmail staff discovered after being informed of some spam filing problems:
Bill |
4 May 2016, 08:14 PM | #9 | |
Member
Join Date: Dec 2013
Posts: 54
|
Quote:
Although, some lists add footers to the bottom of every message (this particular list doesn't), I don't know how they will get around that. |
|
6 May 2016, 12:56 AM | #10 |
Member
Join Date: Dec 2013
Posts: 54
|
Something else I'm seeing is that fastmail seems to default to p=reject if the domain in From: doesn't exist. This happens when people posting to mailing lists have their From address as something like user@REMOVETHISexample.com or user@example.net.REMOVE.au
|
6 May 2016, 01:01 AM | #11 | |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
Quote:
Bill |
|
24 May 2016, 01:46 AM | #12 |
Member
Join Date: Dec 2013
Posts: 54
|
Ignoring DMARC failure
I've given up on DMARC. It's completely useless as too many domains have incorrect policies, even ones who should know better**. After three weeks the false positive rate for messages that have failed DMARC is close to 100%. Granted, this isn't really fastmail's fault as they are only doing what they're told to by the domains' DMARC policies.
So I've modified my sieve rules to ignore DMARC failures. The best way I could think to do this, was in the first sieve rules box (above the auto-generated spam rules) put: Code:
if not header :contains ["X-Spam-hits"] ["ME_DMARC_REJECT", "ME_DMARC_QUARANTINE"] { In the second box, after the spam rules, I put: Code:
} else { if header :contains ["X-Spam-hits"] ["ME_DMARC_QUARANTINE"] { if header :value "ge" :comparator "i;ascii-numeric" "X-Spam-score" "13" { fileinto "\\Junk"; stop; } } if header :contains ["X-Spam-hits"] ["ME_DMARC_REJECT"] { if header :value "ge" :comparator "i;ascii-numeric" "X-Spam-score" "20" { fileinto "\\Junk"; stop; } } } **Case in point: Google was one of the co-conspirators who forced this upon the world, and yet the google.com domain has a p=reject policy, even though their employees use their @google.com address to post to mailing lists that break DKIM. John Levine of the IETF, and a contributor to RFC 7489, says "Reject policy is fine [...] for companies with firm staff policies that [...] employees don't join mailing lists and the like using company addresses". If they can't get this right, who will? |
26 Oct 2018, 05:12 PM | #13 |
Master of the @
Join Date: Nov 2006
Location: Ghent, Belgium
Posts: 1,027
|
Reviving this old post.
Could it be that fastmail has changed the text in the headers? I disabled DMARC handling with the same sieve rules like in the post above However, since some time Ilots of mails gets misfilled in my Junk mail folder because of DMARC policy failures. Looking at the raw messages, it looks like "ME_DMARC_QUARANTINE" in X-Spam-Hits has been relabeled to "ME_QUARANTINE" (probably same for _REJECT) Can anybody confirm? |