“Undelivered Mail Returned to Sender: DMARC check failed” from forwarded mails

dmarcemailprocmail

I'm using Procmail to forward mails to another server.
I'm often getting an error message from the recipient server:

host smtp-in.orange.fr[80.12.26.32] said: 501 5.2.0
    y8XgrepnBNXb2 Mail rejete. Mail rejected. DMARC check failed. OFR_515 [515]
    (in reply to end of DATA command)

This is the relevant snippet from my Procmail config:

:0 c
* (^TO_|X-Original-To:.*)[email protected]
* <46000000
{
    :0 hfw
    * ^Subject:\/.+
    | formail -I "Subject: FORWARDED:$MATCH"
    :0 a
    ! [email protected]
}

Sender's DMARC record is:

dmarc is: v=DMARC1; p=reject; sp=reject; rua=mailto:[email protected];

Here are the DMARC details (editor's note: apparently for my own domain):

_dmarc.myserver.com

v=DMARC1; p=none; sp=none; fo=1; ri=86400; rua=mailto:[email protected],mailto:[email protected]; ruf=mailto:[email protected],mailto:[email protected]

Best Answer

The DMARC failure depends on features in the headers which we cannot see.

DMARC depends on a policy set by the original sender. In this particular instance, I'm guessing they don't want their messages to be forwarded, either because of an oversight in their policy configuration, or because they genuinely want to disallow it (realistically because they regard this as an acceptable price to pay for prohibiting certain types of forgeries).

A simple but perhaps unacceptable way to avoid those is to embed the forwarded message inside a new message; or perhaps try not modifying the message you are forwarding. If the DMARC failure occurs because of an underlying SPF failure, perhaps the simplest fix is to update the From: header, too (but this rests on multiple guesses about what happened and what you would like to happen instead).

:0 c
* (^TO_|X-Original-To:.*)root@myserver\.com
* <46000000
* ^From:\/.+
{
    FROM=$MATCH
    :0 hfw
    * ^Subject:\/.+
    | formail -I "Subject: FORWARDED:$MATCH" \
            -I "X-Original-From:$FROM" \
            -I "From: You <[email protected]>"
    :0 a
    ! [email protected]
}

This should bypass the DMARC failure because you are no longer making it appear as if you are attempting to send a message "from:" the original domain without their approval.

In some more detail, the DMARC record you quote only specifies how DMARC failures should be handled; but the overall symptomps suggest that the recipient domain does not permit external senders to use their domain name in the From: header, by way of an SPF record which specifies this policy in more detail. Unfortunately, there is no mechanism in SPF to say "except if you are forwarding a message which is really originally from us"; indeed, its lack of support of forwarding is one of the common criticisms against SPF. But for many purposes, you can easily work around it by replacing the From: header with one you have control over (and then perhaps putting the original From: header in X-Original-From:, like this recipe does.)

Replacing headers will also often wreck any DKIM signature, which is another mechanism which DMARC integrates. If you care about DKIM integrity, your forwarding server will presumably replace the original DKIM wrapper with one of your own, which then again will work around the preferences expressed in the original sender's DMARC and DKIM policies.

Without a copy of the SPF and DKIM records and the actual headers of the message, this is necessarily a high-level overview; but the solution I propose should work around the problem you are asking about.

Related Solutions

Store and forward mail but change FROM header in forwarded mail

I managed to solve it by using this recipe, and I also added a line that changes the From: address for the system where we forward it to

# store mail in default folder and continue after that
:0c
${DEFAULT}

# change header
:0fhw
| formail -i "From: fakefromaddress@forothersystem.com"

# forward mail
:0
! addressto@forward.to

DMARC fails on forwarded mails without DKIM

Without DKIM you can use the "Reply-To" header so replies go to the original sender.

There are two ways forwarding a message can happen. The normal way that users forward emails is by creating a new message which includes the text (and any attachments) of the old message. The normal way that servers forward email is by relaying the message - so adding in any headers and sending the message on to another server.

DMARC is specifically designed top stop messages that have been spoofed. If you configure your mail server to send a message that appears to be spoofed, then DMARC helps us to identify it. That's what it is for.

So what you really want to do is send a new message to your user that is originated from your domain (so your own SPF and DKIM policies apply) but has "Reply-To" set to the original sender.

I don't use Postfix but this sounds like a distribution list (albeit with a single member) to me.

Best Answer

Related Solutions

Store and forward mail but change FROM header in forwarded mail

DMARC fails on forwarded mails without DKIM

Related Topic