Email Server DKIM Configuration

[Aaron Kirby <akirbyco () GMAIL COM>]

I'm looking for some feedback/comments from this group.  My organization is
currently implementing Email Authentication (SPF/DKIM/DMARC) for our
outgoing email traffic.

We have been monitoring the traffic for a month or so and have noticed a
few interesting nuances related forwarding.  The situation is a user has
defined their primary contact email address, however, when the message is
sent to that address they most likely have an auto-forward rule to their
"real" primary contact email address.  The nuance comes in when we start
looking at the effect of implementing a DMARC REJECT policy.  A portion of
the forwarded email appears to be fine, however, there is a portion that
gets blocked.  The vast majority of the blocked forwarded email seems to be
coming from .EDU systems.   See the FAQ below I pulled from DMARC.org.

Couple of questions for the group
- Do .EDU servers modify the message in such a way that results in DKIM
failing?
- Do any schools out there have plans to help support the implementation of
DMARC?

I'm a DMARC newbie so please excuse any errors in my note.

Thanks in advance for comments!


My users often forward their emails to another mailbox, how do I keep DMARC
valid?DMARC relies on SPF and DKIM. In the case of forwarding emails, SPF
is likely to fail, in a DMARC sense, at the receiver. You are resending
from your infrastructure and it is unlikely your sending IP is in the SPF
record of the domain contained in the from header of the email. However
there is no reason for DKIM to fail. For DKIM not to fail, you must ensure
that your mail server does not drastically modify the message. Typically,
the only modification that preserves DKIM is to add new email headers to
the messages without touching the subject or the body of the message.
Headers protected by DKIM should not be modified in any way, and the
message should not be converted from one encoding to another.