I am running a mail server (postfix) on a VPS that is set up to forward all mail sent to an address in my private domain to a GMail address. SPF, SRS, DKIM, and DMARC are set up for my mail server and work fine for most mail, i.e. forwarded mails equipped with SPF, DKIM, and DMARC are delivered into my GMail inbox and the GMail servers report them as passing SPF, DKIM, and DMARC.
There are, however, senders that send mails with only SPF and DMARC, but no DKIM, e.g. deutschepost.de. This particular sender also has a DMARC reject policy implemented which leads to problems: When my server forwards the mail, SRS rewrites its envelope sender, so that SPF still passes when the message arrives at GMail. The rewritten envelope sender, however, leads to failure of DMARC's SPF alignment check, resulting in the message being rejected by GMail.
As I understand from this explanation, this behavior is to be expected. But is there also a way to deal with it on my (i.e. the forwarder's) side?
TL;DR How to forward mails with SPF and DMARC but no DKIM without breaking DMARC?
EDIT: According to Jacob's comment, an option would be to rewrite the From header to my domain. Is it possible to do this with postfix only for mail that have SPF and DMARC, but no DKIM? Because those with DKIM would fail the alignment check after rewriting.
Best Answer
Without DKIM you can use the "Reply-To" header so replies go to the original sender.
There are two ways forwarding a message can happen. The normal way that users forward emails is by creating a new message which includes the text (and any attachments) of the old message. The normal way that servers forward email is by relaying the message - so adding in any headers and sending the message on to another server.
DMARC is specifically designed top stop messages that have been spoofed. If you configure your mail server to send a message that appears to be spoofed, then DMARC helps us to identify it. That's what it is for.
So what you really want to do is send a new message to your user that is originated from your domain (so your own SPF and DKIM policies apply) but has "Reply-To" set to the original sender.
I don't use Postfix but this sounds like a distribution list (albeit with a single member) to me.