• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Google to soon require ARC for forwarded messages

cmartinez127 said:
I found the following command in another post, but doesn't seem to work.
Code: 
plesk bin settings -s mail_arc_sign=true
Click to expand...
ARC signing is enabled by default. So this effectively does nothing out of the box.
Can be disabled via plesk bin settings -s mail_arc_sign=false plus repair mail.
 
Bobbbb said:
Just a guess... Looking at the "Verification details", could it be related to using "strict" alignment mode (adkim=s; aspf=s). Try changing your DMARC record to use "relaxed" alignment (adkim=r; aspf=r)) and see what changes,
Click to expand...
If I change to "relaxed" works, but the thing is we have another server with "strict" alignment mode and using Mailgun to forward too and it passes all tests. We don't know why, because email headers are not aligned (example.com not smtp.example.com) in the second server and works.
 
cmartinez127 said:
If I change to "relaxed" works, but the thing is we have another server with "strict" alignment mode and using Mailgun to forward too and it passes all tests. We don't know why, because email headers are not aligned (example.com not smtp.example.com) in the second server and works.
Click to expand...
Still guessing here... Only one of either SPF or DKIM need to pass and be aligned. The other can fail. So, perhaps one of them is aligning, even with "strict" mode selected, on that other server.
 
Bobbbb said:
Still guessing here... Only one of either SPF or DKIM need to pass and be aligned. The other can fail. So, perhaps one of them is aligning, even with "strict" mode selected, on that other server.
Click to expand...
That's the real question, how did the domain in the other server pass either DKIM or SPF with "strict" alignment. That's what I don't understand and would like to...
 
cmartinez127 said:
That's the real question, how did the domain in the other server pass either DKIM or SPF with "strict" alignment. That's what I don't understand and would like to...
Click to expand...
Examining the email headers from test messages sent from that server should reveal the answer. Mail-tester.com might, again, prove useful there.
 
Bobbbb said:
Examining the email headers from test messages sent from that server should reveal the answer. Mail-tester.com might, again, prove useful there.
Click to expand...
I will check this on Monday and I will share what I find out comparing both. The only difference is:
Server 1: Plesk is the email provider, Mailgun forwarding, DNS zone in Plesk, strict dmarc.
Server 2: Microsoft is the email provider, Mailgun forwarding, DNS zone in Plesk, strict dmarc.

We will see what is different...
 
It will be nice to answer the question. Regardless of the answer, I have only ever used "relaxed" mode. Here is a quote that I agree with from Valimail..

The DMARC standard enables a domain owner to allow relaxed alignment or to require strict alignment. Note that there is no discernible increase in protection by using Strict mode.
Click to expand...
 
All this makes me more and more convinced that those writing the RFCs have utterly messed up. I've read the DKIM & DMARC RFCs and it lists all sorts of scenarios which it should work in... but the bottom line is that it doesn't work with the MAJOR email hosts. I had a bounce forwarded to me last week which had gone from my originating server (non-Plesk; DMARC p=reject) to M365 which forwarded to Gmail... which rejected it!

So instead of fixing their broken security mechanisms they come up with more complication: ARC... a small sticky plaster on top of a gaping wound.

I don't quite get why SPF & SRS weren't enough. They were simple. They specified where a domain's email could come from and enabled forwarding to work.

Hey ho, we are where we are!
 
Bobbbb said:
Examining the email headers from test messages sent from that server should reveal the answer. Mail-tester.com might, again, prove useful there.
Click to expand...
Server 1: Plesk is the email provider, Mailgun forwarding, DNS zone in Plesk, strict dmarc:
As already shown:
1706521592902.png

Server 2: Microsoft is the email provider, Mailgun forwarding, DNS zone in Plesk, strict dmarc:
I didn't expect this, it says I do not have a DMARC record, but I have this in Plesk DNS zone. Even though this, test passed with a 10/10.
1706521981644.png
1706521802477.png
 
Bobbbb said:
No DMARC record would explain the difference. Might be a DNS issue. Verify your DMARC record exists in the global DNS, here...

DMARC Check Tool - Domain Message Authentication Reporting & Conformance Lookup - MxToolBox
Click to expand...
If I search "example.com", no DMARC found.
If I search smtp.example.com", exists and it's correct.
I verified DNS zone and indeed the DMARC was missing for example.com.
Anyways the problem is still in Server 1, which has a DMARC for both example.es and smtp.example.es
 
I think, in most cases, you should only have a DMARC for example.com (_dmarc.example.com) as it will, by default, apply to all subdomains. Unless you have a need for a more complicated set up, keep it as simple as possible.

I think the easy fix is to use "relaxed" DMARC mode so the FROM domain (example.com) and the DKIM/SPF domain (smtp.example.com) will "align" even though they are not identical. I don't believe you can use "strict" mode if the DKIM/SPF domain (smtp.example.com) is a subdomain of the FROM domain (example.com).
 
You must log in or register to reply here.

Similar threads

L
Issue Spam-/Mailproblems
Replies
1
Views
419
Peter Debik
P
J
Resolved [PPP-54865] Missing DKIM signature on error-notices is missing
Replies
2
Views
1K
Ehud
Ehud
Zalvatore Dela
Issue Outlook and Gmail block my clients emails! DKIM too long
Replies
8
Views
3K
Zalvatore Dela
Zalvatore Dela
M
Question Spam sent by my server
Replies
12
Views
5K
MarkM
MarkM
danami
Input Warden Antispam & Virus Protection Extension for Plesk
6 7 8
Replies
149
Views
30K
danami
danami
Back
Top