Educause Security Discussion mailing list archives
Email Server DKIM Configuration
From: Aaron Kirby <akirbyco () GMAIL COM>
Date: Tue, 7 May 2013 08:24:56 -0400
I'm looking for some feedback/comments from this group. My organization is currently implementing Email Authentication (SPF/DKIM/DMARC) for our outgoing email traffic. We have been monitoring the traffic for a month or so and have noticed a few interesting nuances related forwarding. The situation is a user has defined their primary contact email address, however, when the message is sent to that address they most likely have an auto-forward rule to their "real" primary contact email address. The nuance comes in when we start looking at the effect of implementing a DMARC REJECT policy. A portion of the forwarded email appears to be fine, however, there is a portion that gets blocked. The vast majority of the blocked forwarded email seems to be coming from .EDU systems. See the FAQ below I pulled from DMARC.org. Couple of questions for the group - Do .EDU servers modify the message in such a way that results in DKIM failing? - Do any schools out there have plans to help support the implementation of DMARC? I'm a DMARC newbie so please excuse any errors in my note. Thanks in advance for comments! My users often forward their emails to another mailbox, how do I keep DMARC valid?DMARC relies on SPF and DKIM. In the case of forwarding emails, SPF is likely to fail, in a DMARC sense, at the receiver. You are resending from your infrastructure and it is unlikely your sending IP is in the SPF record of the domain contained in the from header of the email. However there is no reason for DKIM to fail. For DKIM not to fail, you must ensure that your mail server does not drastically modify the message. Typically, the only modification that preserves DKIM is to add new email headers to the messages without touching the subject or the body of the message. Headers protected by DKIM should not be modified in any way, and the message should not be converted from one encoding to another.
Current thread:
- Email Server DKIM Configuration Aaron Kirby (May 07)
- Re: Email Server DKIM Configuration Derek Diget (May 07)