[dmarc-discuss] How does *this* mailing list interact with dmarc?

Franck Martin fmartin at linkedin.com
Wed Jun 20 15:02:00 PDT 2012

My understanding of the issue, is that the "forward" settings in exchange will break DKIM.

I don't know if this bug exists on all version of exchange and under which "forward" functionality of exchange this happens (Out of office, server side rules, user side rules, AD alias,...). I would really like to know, so I can make a new FAQ entry.

>From the blog post and talking with some admins, incoming uses a standard MTA (sendmail,postfix,...) to receive the email and then route it to the correct faculty/alumni exchange server. There the forwarding happens.

To be noted, if the DMARC reject message would contain the DMARC word and the user mailbox, then it would be easy to detect the final recipient, therefore a possibility to fix the issue.

Do we want that? Is this something privacy folks will not like?...

>From the help at paypal (for instance) they do recommend to use the final recipient as the email to enter in their system.
From: Dave Crocker [dhc at dcrocker.net]
Sent: Wednesday, June 20, 2012 2:17 PM
To: Franck Martin
Cc: Derek Diget; dmarc-discuss at dmarc.org
Subject: Re: [dmarc-discuss] How does *this* mailing list interact      with    dmarc?

On 6/20/2012 11:50 AM, Franck Martin wrote:
> It is notorious that people having a .edu email address use a lot forwarding, and that systems break DKIM in the process...

typical 'forwarding' through university-based addresses is of the
'alias' variety:


This does not change any of the data that is 'signed' by DKIM.  Hence a
DKIM signature should survive the forwarding.

DKIM signature breaks when a covered header field or body are modified
and otherwise survives.

  Dave Crocker
  Brandenburg InternetWorking

More information about the dmarc-discuss mailing list