• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue DMARC issue with forward mail

G J Piper said:
I've tried it with DMARC on and off, SPF on and off, and DKIM on and off, and have settled on this:
Click to expand...
... and.... is it working?

-----------------

@Giuseppe too had to turn off incoming DMARC checking or he had issues sending inter-domain messages on the same server. At this time I don't have enough information for understanding the reasons of this... will dig.

I am not sure if turning off incoming DMARC checking has any negative impact on forwarders from/to domains that have DMARC enabled. Only thing I can say is that with my configuration I don't have any problem, everything is working, and therefore I'm pushing you in the same direction.

If you have inter-domain issues with DMARC checking turned on, I'll concentrate on understanding why this is happening: is it a DKIM failure? Is it an SPF failure? There shouldn't be any other possible reason...

Someone (was it you GJ?) noticed that I have a very permissive policy (p=none) in my domains DMARCs: this is probably a mistake that I should correct. I've now changed it to p=reject for a couple of domains and will make tests with them (have to wait for TTL of the old policy to expire... give me some time...)

There is anyway one thing I noticed in the headers of my inter-domain-same-host messages: there is no DMARC there! DKIM is checked, SPF is implicitly pass because the sender is authenticated (Received-SPF: pass (mail.example.com: connection is authenticated)), but there is no trace of DMARC, while I see it in mail sent from an external domain to my host and I see it in the external domain when sent from my host. I think DMARC is not checked/enforced within the same host, but this is something that must be verified.

I'll let you know more when my DMARC p=reject will be in effect...
 
@G J Piper as your setup as an added possible factor (the mail is relayed), at this time I'll concentrate on solving @Giuseppe issue, from which we could learn something and then proceed with your more complicated setup...

In the meanwhile, I think you (both of you!) should check your DKIM/SPF for all domains you're hosting (hoping that there aren't too many...)
 
Sergio Manzi said:
@G J Piper as your setup as an added possible factor (the mail is relayed), at this time I'll concentrate on solving @Giuseppe issue, from which we could learn something and then proceed with your more complicated setup...

In the meanwhile, I think you (both of you!) should check your DKIM/SPF for all domains you're hosting (hoping that there aren't too many...)
Click to expand...

SPF and DKIM are great on all my domains. DMARC is turned off on my server because it inhibits forwarding between accounts on my own server. (IE: yahoo emails one acct on my server then that account forwards to a friend on the same domain -- "friend" account uses DMARC and discovers that Yahoo hasn't listed the forwarding account as a valid SPF -- fail)
 
Last edited:
Sergio Manzi said:
I'm not sure I've understood the "friend" thing, but this:
Code: 
[email protected] --> [email protected] --+--> [email protected]
                                                     |
                                                     +--> [email protected]
                                                     |
                                                     +--> [email protected]
perfectly works with my "full-on" setup and with p=reject in my DMARC policy...

@G J Piper : I might be thick but I've yet to understand if with your current setup your mail from Yahoo gets through to Gmail...
Click to expand...

On my server, with your example above nobody gets the forwarded email. If I turn off DMARC on my own server, then only [email protected] and [email protected] get the emails. I'm still thinking my issue has something to do with Sendgrid. Under no conditions that I can set does anyone at Gmail get a forwarded message through my server from Yahoo, Twitter, Etsy, or anyone else that has their DMARK setting of p=reject.

I have a troubleshooting ticket open with Sendgrid. They asked for more info yesterday and I haven't heard back yet (this is a long time for them to not respond back -- I may have stumped them lol)
 
Yeah.. I guess the Sendgrid thing is at least "suspect"

But the fact that you have to turn off DMARC for the locals to get mail is not right. We must understand if that "missing piece" of yours in /etc/postfix/master.cf can explain this and why you don't have it...

Pinging my pal @Mark Muyskens ... :) Do you have that piece of cr** in your Postfix config?? Do you know what's that for??
 
Sergio Manzi said:
We must understand if that "missing piece" of yours in /etc/postfix/master.cf can explain this and why you don't have it.
Click to expand...
It would be nice to have a valid list of files & directories for Plesk that would allow us to compare file structures visually in a case such as this. It may be that the files I'm missing were still there from an older version, or are not there because of a version of software I'm running...
 
plesk-9.0/postfix-srs

From the name it could seem to be "old junk"... too bad that I never had Plesk 9.0 in my system! (12.0 -> 12.5 -> 17.5 -> 17.8)
 
@G J Piper have you checked if by any chance that missing piece appears out of nowhere when you turn-on DMARC?

I could test that myself (by turning-off DMARC), but you know how the saying goes: "if it ain't broken, don't fix it!" and I'm afraid to break things and have at least an handful of forwarders not working anymore on my system... :confused:
 
Sergio Manzi said:
@G J Piper have you checked if by any chance that missing piece appears out of nowhere when you turn-on DMARC?

I could test that myself (by turning-off DMARC), but you know how the saying goes: "if it ain't broken, don't fix it!" and I'm afraid to break things and have at least an handful of forwarders not working anymore on my system... :confused:
Click to expand...

Nope it doesn't appear. Here is a list of the files in that directory for my server:

Screen Shot 2018-03-13 at 1.08.46 PM.png
 
Here is a log screenshot showing everything that happens when I have DMARC turned ON and I send an email from my AOL account to a email acct I host which forwards it to another email I host. (spoiler: fail, discarded)

Screen-Shot-2018-03-13-at-2.27.58-PM.jpg

By the way, after the free $300 trial they allot you, you can sign up for a 1-year or 3-year "commitment" where they chop the price more than half.


Hmmm... after looking through this log I posted, shouldn't the DKIM (and then resulting DMARC) check be reset after it arrives at the forwarding mailbox and then subsequently check the re-written "from" domain thereafter? It appears it is checking AOL both on the first arrival AND on the forwarding (second) arrival at the final destination. This would seem to nullify the rewriting wouldn't it, and make the DMARC actually work against the second domain's checks. Could this be a bug?

At no point do any of the SPF or DKIM checks fail, although it doesn't do those checks on the internal forwarding.

Sergio Manzi said:
WTF! That's more than the double of what I pay for Plesk Web Pro (from Plesk) + 1CPU + 4GB + 40GB SSD from DO...
Click to expand...
I'm actually getting a 4-core, 6G RAM, 120G SSD Storage engine for about $49/mo.
 
Last edited:
You must log in or register to reply here.

Similar threads

A
Issue DKIM and DMARC issue, emails not sending
Replies
4
Views
486
danami
danami
F
Resolved System mails (MAILER-DAEMON) Undelivered Mail Returned to Sender
Replies
6
Views
295
fvrk4n
F
carlsson
Resolved Outgoing administrator mail not authorized [missing SPF record in sender domain]
Replies
11
Views
1K
rkbonatto
rkbonatto
A
Resolved Unwanted redirects to gmail, when receiving emails
Replies
5
Views
995
arunda2
A
K
Question Spam???
Replies
1
Views
191
Peter Debik
P
Back
Top