Forwarding to Gmail doesn’t work for emails from Microsoft.com due to DMARC, but works for PayPal.com

dkimdmarcgmailspf

I've noticed that I'm not getting certain emails in my Gmail and Yandex.Mail that are forwarded via UNIX systems (without SRS — not too sure if Sender Rewriting Scheme is still the best practice? Because with DMARC I think it'll also have to apply to the actual From: header within the email itself.) from DMARC-enabled senders.

I can't quite figure out what's going on — emails that always go through include PayPal.com, whereas Microsoft.com and some others get rejected (only getting delivered locally to systems that don't implement DMARC on the receiving side).

% echo _dmarc.{microsoft.com,paypal.com} | xargs -n1 dig -t txt | fgrep v=D
_dmarc.microsoft.com.   3302    IN      TXT     "v=DMARC1\; p=reject\; pct=100\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com\; fo=1"
_dmarc.paypal.com.      3311    IN      TXT     "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com"
%

When both domains have the same reject policy — and Google even specifically mentions that PayPal does have a definitive reject policy — I'm not exactly sure if there's something wrong in my own setup, or if it's the sending party that's to blame. Any ideas?

Is it just because of SPF's fail vs. softfail, or is there more to it?

% echo {microsoft.com,paypal.com} | xargs -n1 dig -t txt | fgrep v= | sed 's#[^[:space:]]*:[^[:space:]]*#:#g'
microsoft.com.          3332    IN      TXT     "v=spf1 : : : : : : : : : : -all"
paypal.com.             300     IN      TXT     "v=spf1 : : : : : : ~all"
%

Here's what Gmail reports for PayPal emails that do get delivered through forwarding:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mail.paypal.com header.s=pp-epsilon1 header.b=K96c6GUZ;
       spf=fail (google.com: domain of bounce@mail.paypal.com does not designate 2001:470:7240:: as permitted sender) smtp.mailfrom=bounce@mail.paypal.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=paypal.com
Return-Path: <bounce@mail.paypal.com>

Best Answer

The DMARC policy is protecting the domain used in the From: header: to pass the DMARC check this must align either with DKIM or SPF. For SPF, this requires a matching envelope sender (i.e. Return-Path i.e. address used in SMTP MAIL FROM command) with a passed SPF test.

With DMARC, forwarding the mail (without the final server being aware of it) will cause problems either way:

  • If you don't change the envelope sender, you won't pass the SPF check, and
  • if you change it, it won't align with the From: address anymore.

The example message from PayPal manages to pass the DMARC test, because it has a valid DKIM signature that is also in align with the From header. Because the error for the other domains was a standard DMARC rejection, we can assume the messages are either missing a valid DKIM signature or it's not aligned with the From header.

The only way around would be trusting that the forwarding server has already checked for SPF, DKIM & DMARC and blindly accepting every message coming from that server. That's how it's done in a standard primary/secondary MX configuration for the messages coming in through the secondary server – and how it should be done in any forwarding scenario accepted on both sides.

Unfortunately, based on Gmail Help Community's discussion on "Can I please turn off DMARC", Gmail doesn't allow adding exceptions for DMARC tests. Conclusion: do not forward to Gmail.

Related Topic