Rewrite 'from' header to enable forwarding to overcome dmarc restrictions?

Mark Sapiro mark at msapiro.net
Tue May 6 21:10:55 IST 2014 

On 05/06/2014 12:27 PM, Furnish, Trever G wrote:
> My company has a subset of users for whom we are still doing "dumb forwards", and this practice is now resulting in undeliverable mail thanks to the recent change of dmarc policy published by AOL and Yahoo.  I thought I could work around this by passing the mail for these users through a mailscanner system (just as it was on the verge of finally being decommissioned) and turning all mail into attachments.  It looked promising, but it fails, because MailScanner still is using the original From and To message headers on the new message it creates even for attachments.


The real question here is why is your "dumb forward" breaking the
original DKIM signature from Yahoo or AOL?

I am a Mailman developer, and we've been dealing with the fallout from
this for weeks now. But the bottom line is that while I have had to
invoke several mitigations in my production lists to operate in spite of
DMARC p=reject policies, my forwarders (Postfix aliases) continue to
work with no changes, even for mail from Yahoo.com forwarded to
addresses in domains known to honor Yahoo's DMARC p=reject, even with
the addition of X-...-MailScanner* headers:

My suggestion would be to work on whatever in the forwarding process is
breaking the original DKIM sig. Certain things like MailScanner
"disarming" will do it for sure, but for a message for which MailScanner
doesn't modify the body or Subject:, you should be OK.


> Any suggestions? 


We have two basic ways of dealing with this in Mailman. Neither is ideal.

Method 1 we call Munge From. We take a message e.g.,

To: mailscanner at lists.mailscanner.info
From: Joe Blow <user at example.com>

and make it

From: Joe Blow via MailScanner discussion
<mailscanner at lists.mailscanner.info>

and add

Reply-To: Joe Blow <user at example.com>

For Method 2 which we call Wrap Message, ewe basically create a new
message with From: and Reply-To: as in Munge From and attach the
original message to it.

I'm not sure how easy it would be to make MailScanner do this.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list