srszone.org and DKIM/DMARC

Rick Steeves

New Member
I use ZoneEdit to forward email for my domain to my gmail account. From looking through the forum, srszone.org is part of the rewrite process for zoneedit? Am I correct that it's causing DMARC/DKIM failures? This is from a message sent from fmr.com:

Authentication-Results: mx.google.com;
dkim=fail header.i=@fmr.com header.s=2015-02-19-fmr-com header.b=V1P0jAmh;
dkim=fail header.i=@fmr.com header.s=selector1 header.b=lUfqpp8W;
arc=fail (signature failed);
spf=pass (google.com: domain of srs0=pprt=fi=fmr.com=amanda.xxxx@srszone.org designates 64.68.198.24 as permitted sender) smtp.mailfrom="SRS0=PpRT=FI=fmr.com=Amanda.xxxx@srszone.org";
dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=fmr.com
 

sandy

Administrator
Staff member
Hi Rick. we are looking into this What is the domain name of concern?

regards.
 

sandy

Administrator
Staff member
Hi Rick. rewritten messages would be the cause of this failure message. fmr.com probably has very strict policies which prevent rewriting.

regards.
 

Rick Steeves

New Member
Meaning for this domain I can't use forwarders because the zoneedit.com forwarders fail? Does that mean that long-term this functionality on zoneedit.com will become a problem as other sites enable similar restrictions?

Why exactly is zoneedit rewriting the _source_ sender? That seems like a problem...
 

sproskin

Administrator
Staff member
Hello.

It looks like fmr.com may have DKIM policies which restrict the messages to be rewritten. Generally, mail forwarding and DKIM tend to be incompatible when rewriting messages are involved.
 

sandy

Administrator
Staff member
that what SRS does,., It rewrites the senders email address so it can pass SPF... it is how you forward email without breaking spf.

regards.
 

Rick Steeves

New Member
So, and forgive me for being dense, why doesn't it rewrite the other pieces? (or at least update things enough so that DKIM/DMARC are checked against SRS, not the original domain)? The domain is changes to srszone.org, why are DKIM/DMARC not checked against srszone.org?


Because if I understand you correctly, the solution for forwarding fixed for SPF, by breaking DKIM/DMARC
 

sandy

Administrator
Staff member
Hi Rick,

Normally SPF is checked against the envelope-header called Return-Path which indicates the sender and this is the header which gets re-written by SRS, this allows the reader of the email to see the sender as normal since that is based on the From message-header. DMARC on the otherhand insists on evaluating it's separate SPF calculation based on the From message-header, since that's what people are looking at that's what they want to verify. Rewriting the envelope Return-Path is how the SRS protocol was designed, and there is nothing in the email software which allows rewriting the message headers. As such depending on the configuration options selected for the DMARC policy a given senders emails become impossible to forward.
 

Rick Steeves

New Member
Thank you for your reply.

SPF is checked against the header: Return-Path which gets rewritten by SRS so that when SPF is checked, the sender matches. Got it.

DMARC does a separate SPF calculation based on the header: From (not Return-Path, right?). But the actual From header isn't being rewritten (because it's still what the recipient sees). So DMARC fails because the sender checked against the "From" address fails SPF because the sender is now SRS?
 

sandy

Administrator
Staff member
it fails because as it from our forwardng server which is not in the SPF record for the sender. The reason for the rewrite is our forwarder is in the SPF record for easySRS.org or srszone...., so with the rewrite SPF is checked against our domain which passes SPF. DMARC looking at the From header which is not rewritten results in our forwarders not being in the SPF of the sender and as such DMARC fails
 
Top