Rewrite 'from' header to enable forwarding to overcome dmarc restrictions?

Furnish, Trever G TGFurnish at herffjones.com
Wed May 7 04:03:43 IST 2014


Hi, Mark.  It's not breaking dkim, it's violating the receiver's implementation of SPF, which appears to be looking not just at the envelope header, but also at message headers -- I wonder whether this means they have actually implemented SenderID rather than SPF.

The envelope sender was easily handled - however that's not enough, because the receivers are actually looking not just at the envelope but also at several of the message headers.

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: Tuesday, May 06, 2014 4:11 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: Rewrite 'from' header to enable forwarding to overcome dmarc restrictions?

On 05/06/2014 12:27 PM, Furnish, Trever G wrote:
> My company has a subset of users for whom we are still doing "dumb forwards", and this practice is now resulting in undeliverable mail thanks to the recent change of dmarc policy published by AOL and Yahoo.  I thought I could work around this by passing the mail for these users through a mailscanner system (just as it was on the verge of finally being decommissioned) and turning all mail into attachments.  It looked promising, but it fails, because MailScanner still is using the original From and To message headers on the new message it creates even for attachments.


The real question here is why is your "dumb forward" breaking the original DKIM signature from Yahoo or AOL?

I am a Mailman developer, and we've been dealing with the fallout from this for weeks now. But the bottom line is that while I have had to invoke several mitigations in my production lists to operate in spite of DMARC p=reject policies, my forwarders (Postfix aliases) continue to work with no changes, even for mail from Yahoo.com forwarded to addresses in domains known to honor Yahoo's DMARC p=reject, even with the addition of X-...-MailScanner* headers:

My suggestion would be to work on whatever in the forwarding process is breaking the original DKIM sig. Certain things like MailScanner "disarming" will do it for sure, but for a message for which MailScanner doesn't modify the body or Subject:, you should be OK.


> Any suggestions? 


We have two basic ways of dealing with this in Mailman. Neither is ideal.

Method 1 we call Munge From. We take a message e.g.,

To: mailscanner at lists.mailscanner.info
From: Joe Blow <user at example.com>

and make it

From: Joe Blow via MailScanner discussion <mailscanner at lists.mailscanner.info>

and add

Reply-To: Joe Blow <user at example.com>

For Method 2 which we call Wrap Message, ewe basically create a new message with From: and Reply-To: as in Munge From and attach the original message to it.

I'm not sure how easy it would be to make MailScanner do this.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


More information about the MailScanner mailing list