Is DMARC the end of email forwarding?

Question

I'm using a fair bit of email forwarding on a number of domains and the latest p=reject policy of AOL is causing me some problems and also a lot of confusion. My understanding of DMARC is that it's based on DKIM & SPF with a reporting layer. I understand that SPF is a problem with forwarding but as long as the SPF is set to ~all soft fail then that isn't a show stopper. I also thought DKIM could pass through forwarding without problems as long as you don't mess with the headers much. However I'm finding that certain emails from AOL being forwarded by MailGun are failing DMARC when they land at GMail. MailGun say its due to a sender/from mismatch error. Can anyone elaborate on whether email forwarding is doomed as DMARC takes hold or are MailGun just not forwarding properly?

Answer 1

I think the problem you are coming accross is not the forwarding, but the DKIM alignment. Yes, SPF will Fail, but DKIM should Pass, but the DKIM Alignment might not pass. DMARC requires alignment to be strict or relaxed, based on your policy. You can read up more on alignments here: Identifier Alignments

There are testing tools like sending an email to [email protected] that will show the alignment on the results, but it's a paid feature.

Since this is a problem, there is a new specification in the works called "ARC" the intent of this is to solve this very problem, you can read about that here: ARC Spec

Answer 2

As mentioned above, the issue is that upon sending an email somedomain.com stamps the email with a DKIM (a unique hash of the email's content). When Mailgun forwards the message to Gmail, it inserts it's open/click/unsubscribe modifications which then invalidates the DKIM hash.

Because somedomain.com DMARC says "reject anything that has had the DKIM invalidated" Gmail or other services reject the email.

The workaround I found was to to use a native mailbox solution. WhoIs comes with one which is easy to setup for example: https://manage.whois.com/kb/servlet/KBServlet/faq579.html

Afterwards I simply added the POP mailbox in Settings of Gmail. (As of Gmail December 24, 2017). I was able to re-enable Open and Click tracking and now everything works and I happily get my mails in Gmail still.

As a bonus, we use the email as a shared inbox so now everyone can see the sent emails in their inbox instead of just the forwarded responses.

[Edit] After doing this I realized I was now only getting my emails in the native mailbox solution but no longer in Mailgun where I also needed them.

To work around this, I added MX records to point to mxa.mailgun.org using a subdomain, so mg.exampledomain.com

Then I used a forwarding rule in WhoIs to send all emails that are delivered to [email protected] to also be delivered to [email protected]. Now I get the messages in Mailgun and am still able to see it in Gmail through the POP mailbox.

Answer 3

In my case it turns out this was simply caused by invalid DKIM signatures from reputable senders, despite the fact that the forwarders are NOT modifying the messages.

Without a forwarder in between, SPF might have passed and allowed the email to go through anyway, but given SPF won't pass here either (since you're not an authenticated sender), DMARC tells the the receiver to hard-fail, and then your forwarder might receive an error, such as this one from Gmail:

5.7.1 Unauthenticated email from example.com is not accepted due to domain's DMARC policy.
Please contact the administrator of example.com domain if this was a legitimate mail.
Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative.
- gsmtp

The key phrase here is unauthenticated email, meaning email that doesn't have a valid signature. Authenticated email, on the other hand, could have been allowed from your domain.

You can verify that the issue is an invalid DKIM signature as follows:

$ pip install dkimpy  # dkimpy supercedes pydkim
$ dkimpy -v < message.eml
Traceback (most recent call last):
  File "/usr/sbin/dkimverify", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python/site-packages/dkim/dkimverify.py", line 41, in main
    res = d.verify()
  File "/usr/lib/python/site-packages/dkim/__init__.py", line 869, in verify
    return self.verify_sig(sig, include_headers, sigheaders[idx], dnsfunc)
  File "/usr/lib/python/site-packages/dkim/__init__.py", line 696, in verify_sig
    (base64.b64encode(bodyhash), sig[b'bh']))
dkim.ValidationError: body hash mismatch (got b'...', expected b'...')

Unfortunately, if this happens, you don't have great options at your own disposal:

• Send a separate delivery failure message from your own domain, and include the original email as an attachment. If you do it properly, Gmail (and possibly other receivers) can actually display the attachment inline as a forwarded message.

• Replace the "From" address with your own, then sign with your own DKIM key.
  Perhaps include the original email as an attachment so the receiver knows what it was.

• If the receiver is yourself, then write a script to download the email and shove it directly into your inbox (say, either via IMAP, or directly with an API).

• Tell the domain owner and hope that they fix it.
  (Though, if they haven't already, good luck convincing them the problem is on their side.)

Answer 4

I asked Mailgun support about this problem and was not given any helpful answers. However, the solution is actually in their documentation:

Note If you forward messages to another email address, then you should disable click tracking, open tracking and unsubscribes, by editing your domain settings in the Control Panel. If these features are enabled, the content of each message is modified by Mailgun before forwarding, which invalidates the DKIM signature. If the message comes from a domain publishing a DMARC policy (like Yahoo! Mail), the message will be rejected as spam by the forwarding destination.

https://documentation.mailgun.com/en/latest/user_manual.html#routes

So, I turned off all of those features on my main domain which I use to receive mail and that solved the DMARC bouncing. If you want to use any of those features, you will need to setup a sub-domain for outgoing mail.