• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue DMARC issue with forward mail

I've tried it with DMARC on and off, SPF on and off, and DKIM on and off, and have settled on this:
... and.... is it working?

-----------------

@Giuseppe too had to turn off incoming DMARC checking or he had issues sending inter-domain messages on the same server. At this time I don't have enough information for understanding the reasons of this... will dig.

I am not sure if turning off incoming DMARC checking has any negative impact on forwarders from/to domains that have DMARC enabled. Only thing I can say is that with my configuration I don't have any problem, everything is working, and therefore I'm pushing you in the same direction.

If you have inter-domain issues with DMARC checking turned on, I'll concentrate on understanding why this is happening: is it a DKIM failure? Is it an SPF failure? There shouldn't be any other possible reason...

Someone (was it you GJ?) noticed that I have a very permissive policy (p=none) in my domains DMARCs: this is probably a mistake that I should correct. I've now changed it to p=reject for a couple of domains and will make tests with them (have to wait for TTL of the old policy to expire... give me some time...)

There is anyway one thing I noticed in the headers of my inter-domain-same-host messages: there is no DMARC there! DKIM is checked, SPF is implicitly pass because the sender is authenticated (Received-SPF: pass (mail.example.com: connection is authenticated)), but there is no trace of DMARC, while I see it in mail sent from an external domain to my host and I see it in the external domain when sent from my host. I think DMARC is not checked/enforced within the same host, but this is something that must be verified.

I'll let you know more when my DMARC p=reject will be in effect...
 
@G J Piper as your setup as an added possible factor (the mail is relayed), at this time I'll concentrate on solving @Giuseppe issue, from which we could learn something and then proceed with your more complicated setup...

In the meanwhile, I think you (both of you!) should check your DKIM/SPF for all domains you're hosting (hoping that there aren't too many...)
 
@G J Piper as your setup as an added possible factor (the mail is relayed), at this time I'll concentrate on solving @Giuseppe issue, from which we could learn something and then proceed with your more complicated setup...

In the meanwhile, I think you (both of you!) should check your DKIM/SPF for all domains you're hosting (hoping that there aren't too many...)

SPF and DKIM are great on all my domains. DMARC is turned off on my server because it inhibits forwarding between accounts on my own server. (IE: yahoo emails one acct on my server then that account forwards to a friend on the same domain -- "friend" account uses DMARC and discovers that Yahoo hasn't listed the forwarding account as a valid SPF -- fail)
 
Last edited:
I'm not sure I've understood the "friend" thing, but this:
perfectly works with my "full-on" setup and with p=reject in my DMARC policy...

@G J Piper : I might be thick but I've yet to understand if with your current setup your mail from Yahoo gets through to Gmail...

On my server, with your example above nobody gets the forwarded email. If I turn off DMARC on my own server, then only [email protected] and [email protected] get the emails. I'm still thinking my issue has something to do with Sendgrid. Under no conditions that I can set does anyone at Gmail get a forwarded message through my server from Yahoo, Twitter, Etsy, or anyone else that has their DMARK setting of p=reject.

I have a troubleshooting ticket open with Sendgrid. They asked for more info yesterday and I haven't heard back yet (this is a long time for them to not respond back -- I may have stumped them lol)
 
Yeah.. I guess the Sendgrid thing is at least "suspect"

But the fact that you have to turn off DMARC for the locals to get mail is not right. We must understand if that "missing piece" of yours in /etc/postfix/master.cf can explain this and why you don't have it...

Pinging my pal @Mark Muyskens ... :) Do you have that piece of cr** in your Postfix config?? Do you know what's that for??
 
We must understand if that "missing piece" of yours in /etc/postfix/master.cf can explain this and why you don't have it.
It would be nice to have a valid list of files & directories for Plesk that would allow us to compare file structures visually in a case such as this. It may be that the files I'm missing were still there from an older version, or are not there because of a version of software I'm running...
 
plesk-9.0/postfix-srs

From the name it could seem to be "old junk"... too bad that I never had Plesk 9.0 in my system! (12.0 -> 12.5 -> 17.5 -> 17.8)
 
@G J Piper have you checked if by any chance that missing piece appears out of nowhere when you turn-on DMARC?

I could test that myself (by turning-off DMARC), but you know how the saying goes: "if it ain't broken, don't fix it!" and I'm afraid to break things and have at least an handful of forwarders not working anymore on my system... :confused:
 
@G J Piper have you checked if by any chance that missing piece appears out of nowhere when you turn-on DMARC?

I could test that myself (by turning-off DMARC), but you know how the saying goes: "if it ain't broken, don't fix it!" and I'm afraid to break things and have at least an handful of forwarders not working anymore on my system... :confused:

Nope it doesn't appear. Here is a list of the files in that directory for my server:

Screen Shot 2018-03-13 at 1.08.46 PM.png
 
Here is a log screenshot showing everything that happens when I have DMARC turned ON and I send an email from my AOL account to a email acct I host which forwards it to another email I host. (spoiler: fail, discarded)

Screen-Shot-2018-03-13-at-2.27.58-PM.jpg

By the way, after the free $300 trial they allot you, you can sign up for a 1-year or 3-year "commitment" where they chop the price more than half.


Hmmm... after looking through this log I posted, shouldn't the DKIM (and then resulting DMARC) check be reset after it arrives at the forwarding mailbox and then subsequently check the re-written "from" domain thereafter? It appears it is checking AOL both on the first arrival AND on the forwarding (second) arrival at the final destination. This would seem to nullify the rewriting wouldn't it, and make the DMARC actually work against the second domain's checks. Could this be a bug?

At no point do any of the SPF or DKIM checks fail, although it doesn't do those checks on the internal forwarding.

WTF! That's more than the double of what I pay for Plesk Web Pro (from Plesk) + 1CPU + 4GB + 40GB SSD from DO...
I'm actually getting a 4-core, 6G RAM, 120G SSD Storage engine for about $49/mo.
 
Last edited:
Back
Top