moderated #suggestion Please rewrite email coming from jdpw.com domain #suggestion


Alastair France
 

Hi - I have two problems relating to mail delivery from groups.io to this domain - one being that the DMARC policy applying to this domain expects messages to be signed with the domain key, and messages that are coming from users here which are showing as coming from (for example) afrance@... are instead signed by groups.io; the second being that messages coming in to the domain from users within the domain are not authenticating so get bounced (this is because the mail server expects internal users to authenticate before they are permitted to send mail to prevent open relay issues). These could both be fixed by groups.io rewriting messages originating from here. I did raise a ticket for this some time ago, but there was no response and it was suggested that I raise it here.

So - in the spirit of a proper suggestion - as well as "please change this for my domain" - how about providing some sort of mechanism for mail domain administrators to request this - a suitable mechanism for catching this would be to include an email to "postmaster@..." - as having this available and accessible is a basic requirement for managing a domain.

Alastair France


 

On Mon, Jun 7, 2021 at 6:31 AM Alastair France <afrance@...> wrote:
Hi - I have two problems relating to mail delivery from groups.io to this domain - one being that the DMARC policy applying to this domain expects messages to be signed with the domain key, and messages that are coming from users here which are showing as coming from (for example) afrance@... are instead signed by groups.io; the second being that messages coming in to the domain from users within the domain are not authenticating so get bounced (this is because the mail server expects internal users to authenticate before they are permitted to send mail to prevent open relay issues). These could both be fixed by groups.io rewriting messages originating from here. I did raise a ticket for this some time ago, but there was no response and it was suggested that I raise it here.

Emails are now being re-written from that domain. That domain has a p=none for DMARC. If it was p=reject or p=quarantine, we would have automatically handled it.

Cheers,
Mark 


Alastair France
 

Thank you Mark, and I can confirm that the change has worked.

It would be worth knowing (I did try looking for information) that this would have been automatic with a different DMARC setting, but there is an element of "cart before the horse" here. I introduced DMARC and wanted to see where there would be any problems if I did turn on a different disposition (which seems a thoroughly sensible thing to do). By FAR the worst "offender" in terms of reports coming back was groups.io (which is not necessarily surprising considering messages get "broadcast" somewhat). In fact during the recent couple of months with the exception of messages through groups.io the only messages that have been flagged are ones that I would have wanted blocked. I wanted to fix this before I introduced the more restrictive policy as I didn't want messages to be rejected by MTAs that take this into account. At least now I can clean some of the groups.io servers from my SPF too, which I had done to try to fix this!

I can now run as I am for a couple more weeks and check that my reports have dropped right off then introduce something rather more restrictive.



Cheers,

Alastair


 

On Thu, Jun 10, 2021 at 6:55 AM Alastair France via groups.io <afrance=jdpw.com@groups.io> wrote:
Thank you Mark, and I can confirm that the change has worked.

It would be worth knowing (I did try looking for information) that this would have been automatic with a different DMARC setting, but there is an element of "cart before the horse" here. I introduced DMARC and wanted to see where there would be any problems if I did turn on a different disposition (which seems a thoroughly sensible thing to do). By FAR the worst "offender" in terms of reports coming back was groups.io (which is not necessarily surprising considering messages get "broadcast" somewhat).

Some time back I had proposed a change to how Groups.io handles DMARC p=none. Currently (and then), we treat that the same as no DMARC record, and we do no re-writing of From lines. I proposed treating p=none the same as p=quarantine/restricted, in that it'd trigger the automatic From re-writing. I got a lot of pushback on that, so I didn't make the change. But I get one or two inquiries a week from people going through the same process you did. Treating p=none the same as the others would fix that.

Mark