Open defcon8 opened 2 years ago
The mismatch between Header-From and Envelope-From is unavoidable with a forwarding email server. To be honest, I don't think the HEADER_FROM_DIFFERENT_DOMAINS
rule is particularly useful these days. Back in the days before DKIM and SPF, it might have been a useful heuristic to catch unauthorized spam, but today, people either have a correctly configured server such as yours (which preserves the original DKIM signature to authenticate Header-From and SPF-authorizes the mail server to send as Envelope-From), or their email will be bounced pretty much immediately. Therefore, I consider the mail-tester.com check buggy. Ironically, mail-tester.com explicitly acknowledges that your email passes the DMARC check and proves its provenance, so it is beyond my understanding why they think that the (mis-)match of the domain names should matter.
You might be able to work around the issue if you can add your email server to the SPF authorized senders for xxxxxmedia.com. In that case, you would not need to rewrite the xxxxxmedia.com sender addresses at all (and you could configure an PostSRSd exception with SRS_EXCLUDE_DOMAINS
). Of course, that workaround might scale poorly if you need to forward emails for a large number of customer domains.
I seem to bump into a related problem when using multiple domains. DKIM/SPF/DMARC all pass, but I get a report from Postmark DMARC which says:
[sender.com] is authorized to send on behalf of [domain.com], however it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test. Check with this source because you may need to set up a custom Return-Path.
I have a main domain (sender.com) which I send most emails from, but also some "addon" domains that I host (domain.com). When someone sends from the other domains, the return-path and from address are misaligned, e.g.
Return-Path: SRS0=/uJq=ZV=domain.com=user@sender.com From: user@domain.com
Is there a way to adjust the return path for each of these addon domains?
@gingerline if you are hosting the domains, you do not need to apply SRS at all; just add them to the SRS_EXCLUDE_DOMAINS
.
@roehling thank you so much. I'm hosting them, but also forward the emails. I tried to exclude them, but for some reason it didn't seem to work. I saw an old bug about it and I think I updated to the latest version. I will try it again and see if I can figure out why the exclusion isn't working for me.
Would it be possible to adjust the return-path based on the extra domains though? I think this will be ideal if it's possible.
@gingerlime This is not possible to achieve with PostSRSd 1.x, but it may be feasible to do so with the PostSRSd 2.x milter implementation, once it has reached maturity past the upcoming 2.0 release.
Hi,
We have postfix running as outgoing mail relay. It implements OpenDKIM & PostSRSD. Everything works fine, except when we send a testmail to https://www.mail-tester.com, we get a score of 9.9/10 just because of the following reason:
-0.249 | HEADER_FROM_DIFFERENT_DOMAINS | From and EnvelopeFrom 2nd level mail domains are different
So if I understand this message correctly, the envelope-from and from fields in the e-mail header differ, which is logical because of OpenSRSd. So I guess there is no fix for this?
Kind regards,
Bastiaan
E-Mail source: