[dmarc-discuss] How does *this* mailing list interact with dmarc?

Derek Diget derek.diget+dmarc-discuss at wmich.edu
Wed Jun 20 13:07:26 PDT 2012


On Jun 20, 2012 at 18:50 -0000, Franck Martin wrote:
=>It is notorious that people having a .edu email address use a lot 
=>forwarding, and that systems break DKIM in the process...
=>
=>http://www.it.cornell.edu/services/cmail/howto/spoof.cfm


We don't allow forwarding[1] of email for our 40,000 users 
(faculty/staff/students).  We also don't offer POP.  We offer webmail 
over SSL, IMAP over an encrypted connection (no POP) and SUBMIT over an 
AUTH/encrypted connection.

If we did forwarding our mail routing layer would do SRS.  It has been 
talked about for emeriti/alumni only.  Also, we would probably resign 
DKIM messages with our own signature.  I have not really looked into 
DKIM that much once I found out how many failures we see.  Insert long 
story about the MTA author and his history with MIME and fixing messages 
to comply with RFCs.  It was also when we would be evaluating the DKIM 
signature after the message was accepted and "fixed-up".  Now we 
would do the evaluation during the SMTP transaction, fix-up the message, 
and then sign.

We do see a decent number of SPF FAIL because of forwarding.  We are 
currently quarantining those messages, but as we move to a 
"non-quarantine" configuration, we will be rejecting them.  (We tell our 
users's to stop using the forwarding address and have the messages sent 
directly to their Western account.)  Who are we to question if a 
forwarded paypal, stubhub, facebook, etc message is legitimate?  The 
domain owner says the message shouldn't be coming from the forwarded 
system.  We follow what the domain owner had published.  We don't want 
to be accessories in a forgery case.  Note our user's don't get to 
white-list SPF FAIL as, again, the sending domain has not given them that 
authority.


Now that I have go way off topic....follow-ups should probably should be 
taken off list.



Note 1: Via a setting/preference in mail routing layer or server-side 
filter.  Users can of course "forward" via their mail client button.


-- 
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************


More information about the dmarc-discuss mailing list