DMARC failure and catch-all forwarding failure

Quartz

Quartz

Quartz

Soldato
Joined
1 Apr 2014
Posts
20,505
Location
Aberdeen
I'm having problems with inbound emails getting bounced as Undeliverable due to DMARC rejection.

For about 15 years I've had my email come through Fasthosts / Livemail to my own domain with catch-all forwarding set to forward everything to my GMail account. Just recently Fasthosts have upgraded their servers and I've started getting DMARC rejections from GMail which start

Diagnostic information for administrators:
Generating server: exchange2019.livemail.co.uk
Total retry attempts: 1
(my email)
t1-hex-xprelay.gem.livemail.co.uk
Remote Server returned '550 5.7.26 Message rejected by DMARC policy by gmail.com. Please use your own email address as the sender, instead of (sender's email address). [MSG0009]'

Which bounce from Fasthosts / Livemail back to my GMail address.

I've done a little digging and it appears to only affect senders from originating domains with DMARC set to reject.

So either GMail has coincidentally become much more strict (possible) or Fasthosts are somehow failing to forward emails fully transparently.

I have spoken to Fasthosts and was not impressed so I hope the experts here can offer a solution.
 
Since I use my domain email address rather than my gmail address for everything, this is critically important.
 
Google were one of the first of the big providers to 'honor' DMARC policies and require senders to have one set, if the sender doesn't have a DMARC policy setup then emails will get rejected, as you've got a strange setup of using a custom domain to then forward to gmail (odd way of doing it when you have a custom domain setup) you'll likely need to set a DMARC policy up on your custom domain if you haven't added one yet.
 
Edit, record below.

Log into your DNS
Add a TXT record.
Name: _dmarc
Content: v=DMARC1;p=quaratine;pct=100;rua=mailto:youremail@yourdomainname;ri=86400;fo=1;

Changing youremail@yourdomainname with your email.
 
Last edited:
Glanza said:
Google were one of the first of the big providers to 'honor' DMARC policies and require senders to have one set, if the sender doesn't have a DMARC policy setup then emails will get rejected, as you've got a strange setup of using a custom domain to then forward to gmail (odd way of doing it when you have a custom domain setup) you'll likely need to set a DMARC policy up on your custom domain if you haven't added one yet.
Click to expand...

I have DMARC set up:

v=DMARC1; p=none;

As per the article linked below.

HoneyBadger said:
Just add a DMARC, DKIM AND SPF record to your DNS record on your domain. Shouldn’t take more than 15 mins.
Click to expand...

And SPF:

v=spf1 mx a include:_spf.livemail.co.uk ~all

As per he article linked below.

How will DKIM help? That just identifies me; what's happening is that Fasthosts is saying that the forwarded emails are from me when they're not.

I've checked that DKIM is set up per this Fasthosts article. All four servers are there. There's no separate DKIM entry.

Glanza said:
as you've got a strange setup of using a custom domain to then forward to gmail
Click to expand...

Not really. It's like a PO Box. It's worked for the past 30 years, providing me with a consistent email address across a variety of ISPs.
 
Bearing in mind that if your dmarc is set to none, as opposed to quarantine or reject, some email providers will deem none to be a policy is present but not active. I.e. monitoring only which can affect deliverability. What is your domain name?
 
Quartz said:
Not really. It's like a PO Box. It's worked for the past 30 years, providing me with a consistent email address across a variety of ISPs.
Click to expand...

It might have worked for the last 30 years it was only since last year that Google, Microsoft and others have started 'locking down' email finally where emails need to pass spf/dkim and DMARC to be delivered, forwarded emails are usually the first to fail these checks, this caught out plenty of companies who didn't have the correct records setup for their sending services.

Put your domain in here and see if / what you fail on

www.learndmarc.com

Learn and test SPF, DKIM and DMARC

Visualize, analyze and improve your email authentication setup
www.learndmarc.com www.learndmarc.com
 
Glanza said:
Put your domain in here and see if / what you fail on
Click to expand...

That's very cool but I pass in all regards. Privatised results below:


neo.learndmarc.com
>> Running SPF
------------------
I've found an SPF policy at mydomain.co.uk using the identity RFC5321.MailFrom.
The IP address 212.227.122.219 is allowed to send on behalf of [email protected]. It matched on element: include:_spf.livemail.co.uk. The Auth Result is pass.

212.227.122.219
---------------
Here are the message headers and message body:

DKIM-Signature: d=mydomain.co.uk s=livemail1 a=rsa-sha256 (2048-bit)
DKIM-Signature: d=mydomain.co.uk s=livemail3 a=ed25519-sha256
From: Quartz ([email protected])
To: [email protected]

-- message body removed --
In the message headers, multiple DKIM signatures are present. For this demonstration, we will focus on the most relevant signature to illustrate the validation process. The details of the other signatures can be reviewed on the scorecard, which will be provided at the end of this demonstration.

The "d=" (domain, officially called "Signing Domain Identifier" or SDID) and "s=" (selector) values are used to retrieve the DKIM public key from selector._domainkey.domain to validate the email's authenticity and integrity.

The Header From: address (officially called RFC5322.From) is used by DMARC to validate alignment. For DMARC to pass, DKIM or SPF checks need to pass and the domains must be in alignment.

neo.learndmarc.com
>> Running DKIM
------------------
I see you've included a DKIM signature. I've retrieved the public key from livemail1._domainkey.mydomain.co.uk
The signature passed validation. The Auth Result is pass.

neo.learndmarc.com
>> Running DMARC
------------------
I've found the following DMARC policy at _dmarc.mydomain.co.uk: "v=DMARC1; p=none;".
Found policy: none.

The DMARC record does not specify the 'aspf' and 'adkim' elements, causing them to default to 'r' (relaxed).
This means that any subdomains are ignored by the alignment check. In relaxed mode, foo.example.com aligns with bar.example.com. In strict mode, the alignment will fail.

neo.learndmarc.com
>> Running Identifier Alignment verification
--------------------------------------------
SPF domain mydomain.co.uk aligns with the RFC5322.From domain mydomain.co.uk. Alignment is pass.
DKIM domain mydomain.co.uk aligns with the RFC5322.From domain mydomain.co.uk. Alignment is pass.

neo.learndmarc.com
>> Finalizing DMARC
-------------------
SPF auth result is pass and SPF domain is in alignment. DMARC SPF result is pass.
DKIM auth result is pass and DKIM domain is in alignment. DMARC DKIM result is pass.

Because both the SPF and DKIM test passed and their domains are in alignment, the DMARC result is pass.

neo.learndmarc.com
------------------
CONNECTION CLOSED. Thanks for using our service!
This free service is brought to you by URIports.com - DMARC Monitoring Reinvented.
Visit us at www.uriports.com/dmarc
 
Glanza said:
It might have worked for the last 30 years it was only since last year that Google, Microsoft and others have started 'locking down' email finally where emails need to pass spf/dkim and DMARC to be delivered, forwarded emails are usually the first to fail these checks, this caught out plenty of companies who didn't have the correct records setup for their sending services.
Click to expand...

It worked right up until Fasthosts switched me over to their new mail system and stopped passing through transparently.
 
Last edited:
If you send a email from your custom domain to your gmail without forwarding does that get delivered ok?
 
There's something very weird going on: I changed the catch-all forwarding to forward to one email address on that domain and it's still forwarding to my GMail account.
 
You must log in or register to reply here.
Back
Top Bottom