Mail forwarding in a DMARC world

Auto-forwarding mail today is kind of a pain in the butt. If a domain has a p=reject DMARC policy, mail from somebody at that domain likely gets blocked if you try to forward it on to, say, a Gmail account. Even if a domain doesn't have a p=reject DMARC policy, your "forwarding hop" fails SPF authentication. And your forwarding IP address is likely to get deferred or blocked at some point. No fun at all.

Eventually the Authentication Received Chain specification will gel into a real implementation of something that preserves authentication results when forwarding, and that's supposed to help. But it doesn't exist today and you want to be able to forward mail as painlessly as possible. What should you do? Well, you could try doing what I do.

Here's a version of the script that I use to forward mail for my friend Dean. I use Maildir on Postfix, so when mail to dean@his-domain comes into my system, it is stored in Dean's Maildir folder, one file per message. (This is much easier for processing via script that an mbox mailbox.) Then my script checks that folder every few minutes. If a message is waiting, my script picks it up and processes it. It strips out the original sender info and DKIM signature (if found), though it leaves that information in hidden X-headers so you can troubleshoot it as needed. It adds new sender information making the mail now from an address I specify (thus I can control any authentication issues) and it moves the original from address to the reply-to header, so my friend can still reply to the message and have the reply go to the original sender.

It's not perfect; its biggest limitation is that it effectively blows away the original reply-to header, and if my friend reports messages as spam, it still probably negatively impacts my own sending reputation. I attempt to mitigate that by putting my own spam filtering in front of the forwarding, trying not to send on messages my filters believe to be very spammy.

But, it works, and it works pretty well. I've used some version of this type of forwarding for quite a while now, even before p=reject DMARC policies started to descend upon us.
Post a Comment