Postfix implementation

[mindrunner]

I am trying to add this to docker-mailserver which uses postfix.

See https://github.com/trusteddomainproject/OpenARC/issues/123 for the previous discussion.

I have a first attempt. See here: https://github.com/tomav/docker-mailserver/issues/1346#issuecomment-570834266

However, it seems like OpenArc is not doing anything and/or never being triggered. Any ideas what I am missing?

[xpunkt]

lukas skrev den 2020-01-05 02:17:

I am trying to add this to docker-mailserver [1] which uses postfix.

See #123 [2] for the previous discussion.

I have a first attempt. See here: tomav/docker-mailserver#1346 (comment) [3]

However, it seems like OpenArc is not doing anything and/or never being triggered. Any ideas what I am missing?

run dmarc after arc, so dmarc can validate arc, for this to work use opendmarc from github, i tryed build openarc from github but it segfaults, very helpfull :(

non_smtp_milters does not make sense to call openarc milter when its origin sender and dkim signed

cut long story openarc are made only for maillists that breaks dkim

[mindrunner]

run dmarc after arc, so dmarc can validate arc, for this to work use opendmarc from github

You mean like this:

milter_protocol = 6
milter_default_action = accept
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
arc_milter = inet:localhost:8894
smtpd_milters = $dkim_milter,$arc_milter,$dmarc_milter
non_smtpd_milters = $dkim_milter

i tryed build openarc from github but it segfaults, very helpfull :(

Works for me on arch linux as well as in a Debian 9 docker image

cut long story openarc are made only for maillists that breaks dkim

What do you mean by that? I am forwarding emails from my mailserver to gmail, so I need ARC to resign the chain and make Gmail not rejecting mails from senders with strict DMARC policies. See: https://github.com/tomav/docker-mailserver/issues/1346

[mindrunner]

Alright. It seems like it is working. Checking on a message forwarded to google, I can see this:

ARC-Seal: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578189874; cv=none; b=[.......]
ARC-Message-Signature: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578189874; c=relaxed/simple; bh=[...]; h=Received-SPF:MIME-Version:Message-ID:Date:From:To:Subject:
     Content-Type:Content-Transfer-Encoding; b=[.......]
ARC-Authentication-Results: i=1; mx0.domain.com; arc=none

[xpunkt]

lukas skrev den 2020-01-05 02:50:

smtpd_milters = $dkim_milter,$arc_milter,$dmarc_milter non_smtpd_milters = $dkim_milter

yes

i tryed build openarc from github but it segfaults, very helpfull :( Works for me on arch linux as well as in a Debian 9 docker image

then its not raw source from github, so i must find real tarballs

please link to the debian sources if it works

cut long story openarc are made only for maillists that breaks dkim What do you mean by that?

if none breaked dkim then openarc is completely unnedded

I am forwarding emails from my mailserver to gmail,

forwarding does not break dkim, but maillists does

so I need ARC to resign the chain and make Gmail

so you see gmail reject dkim signed mails, if you dont arc sealing it ?

not rejecting mails from senders with strict DMARC policies.

strict is irelevant if dkim is not breaked

[mindrunner]

then its not raw source from github, so i must find real tarballs please link to the debian sources if it works

I do not understand. I am building from master branch. I don't know what you mean by debian sources.

forwarding does not break dkim, but maillists does

There is a lot of people experiencing something different (including me). Just follow the links I posted.

[kurta]

And when you check the headers as seen on gmail, do you see the ARC chain continued with i=2 and the AAR listing cv=pass for your i=1 set?

--Kurt

On Sat, Jan 4, 2020, 18:21 lukas notifications@github.com wrote:

Alright. It seems like it is working. Checking on a message forwarded to google, I can see this:

ARC-Seal: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578189874; cv=none; b=[.......] ARC-Message-Signature: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578189874; c=relaxed/simple; bh=[...]; h=Received-SPF:MIME-Version:Message-ID:Date:From:To:Subject: Content-Type:Content-Transfer-Encoding; b=[.......] ARC-Authentication-Results: i=1; mx0.domain.com; arc=none

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/124?email_source=notifications&email_token=AAGU3SLO7Q7L3PQ4R7RE6NLQ4E74DA5CNFSM4KCY24YKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIDEW4Y#issuecomment-570837875, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGU3SMZ462WC5BD3GWPQKDQ4E74DANCNFSM4KCY24YA .

[mindrunner]

Hi Kurt Nope... I do not see any i=2 :( Also, I see arc=fail (DNS record missing) So I suppose, it is not working.

But it seems like it is doing something. I mean, I can clearly see the difference between using OpenArc and not using it.

Is that a configuration issue or a bug?

[kurta]

The arc=fail with a missing DNS record pretty well explains the problem. Did you publish the public key for your ARC signing?

On Sat, Jan 4, 2020, 18:54 lukas notifications@github.com wrote:

Hi Kurt Nope... I do not see any i=2 :( Also, I see arc=fail (DNS record missing) So I suppose, it is not working.

But it seems like it is doing something. I mean, I can clearly see the difference between using OpenArc and not using it.

Is that a configuration issue or a bug?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/124?email_source=notifications&email_token=AAGU3SKKG45L25NMJDFWT23Q4FDV5A5CNFSM4KCY24YKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIDFNZQ#issuecomment-570840806, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGU3SLNRRLZ4UZQAPRI4SDQ4FDV5ANCNFSM4KCY24YA .

[mindrunner]

Nope, I don't think so. To be honest I have only little idea what I am doing here... Where can/should I publish it? And which documentation did I not read? :)

[kurta]

You need to publish the public key for ARC just like you do for DKIM - and in the similar path with the selector that you are using for the sealing

On Sat, Jan 4, 2020, 19:04 lukas notifications@github.com wrote:

Nope, I don't think so. To be honest I have only little idea what I am doing here... Where can/should I publish it? And which documentation did I not read? :)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/124?email_source=notifications&email_token=AAGU3SOF5YIGTI6AZSFNFVTQ4FE4NA5CNFSM4KCY24YKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIDF5KY#issuecomment-570842795, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGU3SIB7F3R44TJUNMB4PDQ4FE4NANCNFSM4KCY24YA .

[mindrunner]

Like this?

v=ARC1; h=sha256; k=rsa; p=[....]

And what is the domain record? Does that have to do with the selector?

For DKIM I have:

mail._domainkey.domain.com

And where is the docs? Sorry, I am really lost.

[kurta]

In the header example you cited above, the selector is 201808 (s=). You would publish the ARC sealing key at 201808._domainkey.. The ARC selector can, but does not need to be, different from the DKIM selector.

--Kurt

On Sat, Jan 4, 2020, 19:18 lukas notifications@github.com wrote:

Like this?

v=ARC1; h=sha256; k=rsa; p=[....]

And what is the domain record? Does that have to do with the selector?

For DKIM I have:

mail._domainkey.domain.com

And where is the docs? Sorry, I am really lost.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/124?email_source=notifications&email_token=AAGU3SMUZ4MFNJNW3EACD5LQ4FGRJA5CNFSM4KCY24YKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIDGSOY#issuecomment-570845499, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGU3SJZMCFYYRS6TFWGRULQ4FGRJANCNFSM4KCY24YA .

[mindrunner]

Does that mean if I use the same selector for ARC and DKIM as well as the same keys, I can use only one TXT record for both? Or do I need to replace v=DKIM1 with v=ARC1?

[kurta]

You should be able to use just one record. You can check to see what Google publishes as a reference (I'm working on dinner so I don't have a real keyboard right now).

On Sat, Jan 4, 2020, 19:45 lukas notifications@github.com wrote:

Does that mean if I use the same selector for ARC and DKIM as well as the same keys, I can use only one TXT record for both? Or do I need to replace v=DKIM1 with v=ARC1?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/124?email_source=notifications&email_token=AAGU3SPGQATEDP2HPP4YUX3Q4FJVDA5CNFSM4KCY24YKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIDHUSA#issuecomment-570849864, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGU3SMCT63KBDDLLPEGEATQ4FJVDANCNFSM4KCY24YA .

[mindrunner]

I read in another thread, that I can only use one key for one server. Since I have multiple domains running, I am using the keys of the primary domain. Reusing the record will not work then. (DKIM uses one key each domain)

I checked googles record:

arc-20160816._domainkey.google.com. 8 IN TXT    "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Lztpxs7yUxQEsbDFhjMc9kZVZu5P/COYEUIX4B39IL4SXAbv4viIlT9E6F6iZmTh1go7+9WQLywwgwjXMJx/Dz0RgMoPeyp5NRy4l320DPYibNqVMWa5" "iQ2WiImQC0en1O9uhLLvzaSZJ03fvGmCo9jMo0GwKzLNe14xMgn/px2L5N/3IKlKX4bqUAJTUt8L993ZlWzvgMnSFSt8B+euSKSrtAiopdy4r1yO4eN5goBASrGW0eLQc1lYouNvCrcTQpos4/GEAqiGzpqueJLmBfOO4clNvVvpPkvQs2BHw9I9LmIjaMxTNGxkGBRaP3utDiKXXqu1K+LRzl0HCNSdQIDAQAB"

And set mine accordingly:

201808._domainkey.lukius.de. 86400 IN   TXT "k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoY59f+sniYUd720BOSiCPcdYIij4/gH+QJSyQ2b3WjynjDy5+TriljHfDI9Fo3bngJFbzWDXyX" "wq142WWrFybs8XBZNcOZf+wADqYcqCE76jluhyt/R4QItsNmb62Y0cy+AdHNnxVe8jfS5sFngYaO78PQsBpj8dGs2L1g0ys2e7D0PMcrYEvh8RAa530wPMS0r+aKLbT" "quC8qWcUtZvoRrWl4BOSlJZPIDRqAQXT9PtBFMYL6mwM/KoqUC9RCQD79SLqsvO31L06OuGUwNZBqYtGak2xhapbWuyU2bLmdofDJQa47Y9O5bwwTU5utpk6Ss23llN" "lPrQNICj9pfoWwIDAQAB"

Now I am getting a arc=fail (dns record malformed). Something must still be missing.

Bon appetit! :)

[mindrunner]

Alright. I think I got it now. @kurta what do you think? This is a forwarded message to gmail. Does this look like OpenARC proper signed the chain and everything is good?

Does i=2 mean that the chain is 2 steps long?

0 = sender
1 = my email server
2 = gmail

ARC-Seal: i=2; a=rsa-sha256; t=1578238460; cv=pass;
        d=google.com; s=arc-20160816;
        b=Ect8OKiv/DclvqS8CdYEA0dzeqe0IrxsxDGhy+aIqxtDTVhFsQaHHbENfEqC3hxxOz
         AXwtTv51Ag43dBE9bg2vNCbhOGb4+3JnOFtPg9vXhF7FpwRbxlGXkPTwvAX7z8u4gzV/
         tc/T5ydmk4HqDhXOj4vq1V7icApTUrQf+7eJD1t1yVCds78VxxX7VIkGm6ieQ1jJ94sF
         n2DMIqtWAD3TRYzucbJA5GxhsNxWTzimaWtLBg+dOY97T39y8ZNriMknbWOLalwaYefo
         UZUKEczxrXb3gGzy2UZscS1qOsS0jraBAGT/iVvvMNI8odTiPWCIMl5uyfMHVzrEQelx
         Bj0w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:subject:to:from:date:message-id
         :mime-version:arc-filter;
        bh=pwCRxelulesFS4CeB7c7JkXr7yW4Mx6hmFEr6sYnDiQ=;
        b=FwltbwdAOAVvQeJIUscD/6bV5rjxxqmDWuiWjJkWA4W+illmyBjU+cwAHppgQxu4ME
         Jq1mu/hJIjbl/nT60kC9cIuWIyOx/fPBSW4knfO/uz6WskBhdV87x6lCVKTxbCARdo8G
         IfxS+9IbTdyW21O6dolPX3i5UA/sTwRSM0TM2FKLP1/afh6LFcTgxqGhbf5nZ29lhPXj
         B+vIy9uCqjTsklTOQ3U3D9D9ZkEXR/s3TWFic9imHlV2i0MBBfocaMH0R3qmMjiuxfIO
         m0y7tsh0TAPqHogDanI6R8hGkXTTV5V8faJGdh9g4oua8F9FHa3NtysbyMitdU+dfrrS
         C48g==
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of srs0=scn3=22=ismyemailworking.com=test@domain.com designates 111.111.111.111 as permitted sender) smtp.mailfrom="SRS0=scn3=22=ismyemailworking.com=test@domain.com"
Return-Path: <SRS0=scn3=22=ismyemailworking.com=test@domain.com>
Received: from mx0.domain.com (mx0.domain.com. [111.111.111.111])
        by mx.google.com with ESMTPS id i14si51706513wrr.238.2020.01.05.07.34.19
        for <me@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 05 Jan 2020 07:34:20 -0800 (PST)
Received-SPF: pass (google.com: domain of srs0=scn3=22=ismyemailworking.com=test@domain.com designates 111.111.111.111 as permitted sender) client-ip=111.111.111.111;
Authentication-Results: mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of srs0=scn3=22=ismyemailworking.com=test@domain.com designates 111.111.111.111 as permitted sender) smtp.mailfrom="SRS0=scn3=22=ismyemailworking.com=test@domain.com"
X-Virus-Scanned: Yes
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=108.60.212.145; helo=ismyemailworking.com; envelope-from=test@ismyemailworking.com; receiver=<UNKNOWN>
Authentication-Results: mx0.domain.com; dmarc=none (p=none dis=none) header.from=ismyemailworking.com
ARC-Filter: OpenARC Filter v0.1.0 mx0.domain.com D17BA60733
Authentication-Results: mx0.domain.com; arc=none
ARC-Seal: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578238458; cv=none; b=J0U8fGHFuxqnrdq276+3KjUcN6/WrNqIZHULDN4UhK2gw77KnV/RQnzbIkjne7d6VKoAalK08Zw+extVf/BXtKzBdACxgvZV0O7V3/k8EtM43d65jVv/4qAX7mwtXYxkiBEG4MHE9bhDdYfFuoBhUtf+MEESDQQQEMoEift1TbASYECvRI4DBSMl9KVRjHrpIznzc7ZrZbcPhvo1mIiBGezK/wXqTb5ZWpTMrcgS6l3Jlj75+8X7eB0yWNS1naLgUrZamrZtpi73qPry/Rckdqt/YOXfCrx/ZeYMB8LErjE9JzqT56jsqjjXuLnVy3C5fceRxc+YqHTD+0hc7o84sQ==
ARC-Message-Signature: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578238458; c=relaxed/simple; bh=pwCRxelulesFS4CeB7c7JkXr7yW4Mx6hmFEr6sYnDiQ=; h=Received-SPF:MIME-Version:Message-ID:Date:From:To:Subject:
     Content-Type:Content-Transfer-Encoding; b=Mll/jlcyKqf8SvRnBvX9WhaTR7Z5KtOiDPJHoLnIhRZsn21kJM9U2hunwGHFWHEz7cPCF4vFcnnff9z4Kys6D7LI540K0vG6idutiHMna6201Pu2E+aoaICeVZ/17AUOr7bFYklA3hjeDGmahog9YDq0ZmfWK4bl9Jnw3Q2XB6d+iTHTbrYEBkbzYUzwMJgGOhkwy68dJQ9vYMH2Ibss0wvcaZiRaxpiw9ie3/6kk1jO3tFf2p/8TaowXDTKfw1tzqVn4x7ght7zCm9A2JlCje5f/UAk3BZNkFJlOY3DfeX6+ByOfN+N40xG5j5y81pl4wZddKYwh5yC6ZHp//RSmQ==
ARC-Authentication-Results: i=1; mx0.domain.com; arc=none
Received: from IsMyEmailWorking.com (ismyemailworking.com [108.60.212.145]) by mx0.domain.com (Postfix) with ESMTP id D17BA60733 for <test@domain.com>; Sun,
  5 Jan 2020 15:34:17 +0000 (UTC)

[kurta]

Yes, the ARC chain looks good. I'm surprised that there are no DKIM signatures on the message but that's not critical.

--Kurt

On Sun, Jan 5, 2020, 07:44 lukas notifications@github.com wrote:

Alright. I think I got it now. @kurta https://github.com/kurta what do you think? This is a forwarded message to gmail. Does this look like OpenARC proper signed the chain and everything is good?

Does i=2 mean that the chain is 2 steps long? `` 0 = sender 1 = my email server 2 = gmail

ARC-Seal: i=2; a=rsa-sha256; t=1578238460; cv=pass; d=google.com; s=arc-20160816; b=Ect8OKiv/DclvqS8CdYEA0dzeqe0IrxsxDGhy+aIqxtDTVhFsQaHHbENfEqC3hxxOz AXwtTv51Ag43dBE9bg2vNCbhOGb4+3JnOFtPg9vXhF7FpwRbxlGXkPTwvAX7z8u4gzV/ tc/T5ydmk4HqDhXOj4vq1V7icApTUrQf+7eJD1t1yVCds78VxxX7VIkGm6ieQ1jJ94sF n2DMIqtWAD3TRYzucbJA5GxhsNxWTzimaWtLBg+dOY97T39y8ZNriMknbWOLalwaYefo UZUKEczxrXb3gGzy2UZscS1qOsS0jraBAGT/iVvvMNI8odTiPWCIMl5uyfMHVzrEQelx Bj0w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:subject:to:from📅message-id :mime-version:arc-filter; bh=pwCRxelulesFS4CeB7c7JkXr7yW4Mx6hmFEr6sYnDiQ=; b=FwltbwdAOAVvQeJIUscD/6bV5rjxxqmDWuiWjJkWA4W+illmyBjU+cwAHppgQxu4ME Jq1mu/hJIjbl/nT60kC9cIuWIyOx/fPBSW4knfO/uz6WskBhdV87x6lCVKTxbCARdo8G IfxS+9IbTdyW21O6dolPX3i5UA/sTwRSM0TM2FKLP1/afh6LFcTgxqGhbf5nZ29lhPXj B+vIy9uCqjTsklTOQ3U3D9D9ZkEXR/s3TWFic9imHlV2i0MBBfocaMH0R3qmMjiuxfIO m0y7tsh0TAPqHogDanI6R8hGkXTTV5V8faJGdh9g4oua8F9FHa3NtysbyMitdU+dfrrS C48g== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of srs0=scn3=22=ismyemailworking.com= test@domain.com designates 111.111.111.111 as permitted sender) smtp.mailfrom="SRS0=scn3=22=ismyemailworking.com=test@domain.com" Return-Path: SRS0=scn3=22=ismyemailworking.com=test@domain.com Received: from mx0.domain.com (mx0.domain.com. [111.111.111.111]) by mx.google.com with ESMTPS id i14si51706513wrr.238.2020.01.05.07.34.19 for me@gmail.com (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 05 Jan 2020 07:34:20 -0800 (PST) Received-SPF: pass (google.com: domain of srs0=scn3=22= ismyemailworking.com=test@domain.com designates 111.111.111.111 as permitted sender) client-ip=111.111.111.111; Authentication-Results: mx.google.com; arc=pass (i=1); spf=pass (google.com: domain of srs0=scn3=22=ismyemailworking.com= test@domain.com designates 111.111.111.111 as permitted sender) smtp.mailfrom="SRS0=scn3=22=ismyemailworking.com=test@domain.com" X-Virus-Scanned: Yes Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=108.60.212.145; helo=ismyemailworking.com; envelope-from=test@ismyemailworking.com; receiver= Authentication-Results: mx0.domain.com; dmarc=none (p=none dis=none) header.from=ismyemailworking.com ARC-Filter: OpenARC Filter v0.1.0 mx0.domain.com D17BA60733 Authentication-Results: mx0.domain.com; arc=none ARC-Seal: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578238458; cv=none; b=J0U8fGHFuxqnrdq276+3KjUcN6/WrNqIZHULDN4UhK2gw77KnV/RQnzbIkjne7d6VKoAalK08Zw+extVf/BXtKzBdACxgvZV0O7V3/k8EtM43d65jVv/4qAX7mwtXYxkiBEG4MHE9bhDdYfFuoBhUtf+MEESDQQQEMoEift1TbASYECvRI4DBSMl9KVRjHrpIznzc7ZrZbcPhvo1mIiBGezK/wXqTb5ZWpTMrcgS6l3Jlj75+8X7eB0yWNS1naLgUrZamrZtpi73qPry/Rckdqt/YOXfCrx/ZeYMB8LErjE9JzqT56jsqjjXuLnVy3C5fceRxc+YqHTD+0hc7o84sQ== ARC-Message-Signature: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578238458; c=relaxed/simple; bh=pwCRxelulesFS4CeB7c7JkXr7yW4Mx6hmFEr6sYnDiQ=; h=Received-SPF:MIME-Version:Message-ID:Date:From:To:Subject: Content-Type:Content-Transfer-Encoding; b=Mll/jlcyKqf8SvRnBvX9WhaTR7Z5KtOiDPJHoLnIhRZsn21kJM9U2hunwGHFWHEz7cPCF4vFcnnff9z4Kys6D7LI540K0vG6idutiHMna6201Pu2E+aoaICeVZ/17AUOr7bFYklA3hjeDGmahog9YDq0ZmfWK4bl9Jnw3Q2XB6d+iTHTbrYEBkbzYUzwMJgGOhkwy68dJQ9vYMH2Ibss0wvcaZiRaxpiw9ie3/6kk1jO3tFf2p/8TaowXDTKfw1tzqVn4x7ght7zCm9A2JlCje5f/UAk3BZNkFJlOY3DfeX6+ByOfN+N40xG5j5y81pl4wZddKYwh5yC6ZHp//RSmQ== ARC-Authentication-Results: i=1; mx0.domain.com; arc=none Received: from IsMyEmailWorking.com (ismyemailworking.com [108.60.212.145]) by mx0.domain.com (Postfix) with ESMTP id D17BA60733 for test@domain.com; Sun, 5 Jan 2020 15:34:17 +0000 (UTC)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/124?email_source=notifications&email_token=AAGU3SNP5N75ZFZUH27W6JLQ4H55TA5CNFSM4KCY24YKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIDZRRI#issuecomment-570923205, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGU3SNPZDL5FD2DFA3H5F3Q4H55TANCNFSM4KCY24YA .

[mindrunner]

I think the issue with the missing DKIM is that ismymailworking.com does not use DKIM for whatever reason. Here is a header from a github-mail forwarded to my GMail:

Delivered-To: me@gmail.com
Received: by 2002:a67:ce12:0:0:0:0:0 with SMTP id s18csp20652289vsl;
        Sun, 5 Jan 2020 08:44:54 -0800 (PST)
X-Google-Smtp-Source: APXvYqyxvf4jB0mBR6igvjdHLd1ZfZK+LTIalWYiDEujK/a/uEggQYXSt1y7zqMdMrTM+/qD8bYo
X-Received: by 2002:a5d:5704:: with SMTP id a4mr97989661wrv.198.1578242694748;
        Sun, 05 Jan 2020 08:44:54 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1578242694; cv=pass;
        d=google.com; s=arc-20160816;
        b=w80imn2lasBKiX1jJbV4VIAoOPPLIJtezgcQKkIb6YPyKiWlGfGEJJJ1+yX4rx4kUS
         hpK/PKI8EHZzGQnSIB073Ho4PXeZf0w1VxJ2IIMdJdN9Xps/XKP3gkEVNmlllC0Ph/9D
         NQ14Rt05nO3eCETGiBfnO8kSCherteBEk8rODnFIBLy82nZR72nANQkixUIcBuhMeyeS
         UUl+vZnWsT+M5ppAa3B4noi2Amr92WXVp+NPvk8RRqP2r9vFvY9ReqRwN0SPpVwbeITo
         btDcgrtxd8XYDfZqfb/nUV9oEzj+dmHq8cYExx85ggN2D20GEHXW7ZAxOWQyJj2d7Ya6
         FTYA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-post:list-archive:list-id:precedence
         :content-transfer-encoding:mime-version:subject:references
         :in-reply-to:message-id:cc:to:reply-to:from:date:dkim-signature
         :arc-filter;
        bh=2b7U3dMs52xPA8n8LErBrTLrsTnfHHdnGRtlbTpSPXo=;
        b=WJAa97GdiLGB7PHBvGTmySnEHFmAgjm4AaPHvMegHjQxEtvWAQ14AVJRqpIqHAk6E9
         32rusXgWk9ogJ/hoqCw83FucIUIMUmWHxZsfz9ynbwDY44+BcKnB65Y1gXNlYUA5gU07
         TqB5WTfyVkuP1cTNLkYvBdnX2j/azcZqWlrvua4oZdnuJHISlAvtvnKBO0wA8ONzuZsK
         wH+7kK2Uo+6diZSmMDC4/rRld90Veh3u9WrRMZ9AqmBohS5DuEUYPEPeDAWXQFpUQG0x
         CeYNtqB5vILTI0U0mN+zH4e/HLQvX18pff4MmIaIkT8CcyQzHxk9FQBLLmuOi78sTpId
         /p3A==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass (test mode) header.i=@github.com header.s=pf2014 header.b=MGBfrKg6;
       arc=pass (i=1 dkim=pass dkdomain=github.com);
       spf=pass (google.com: domain of srs0=fmel=22=github.com=noreply@domain.com designates 111.111.111.111 as permitted sender) smtp.mailfrom="SRS0=FMEl=22=github.com=noreply@domain.com";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=github.com
Return-Path: <SRS0=FMEl=22=github.com=noreply@domain.com>
Received: from mx0.domain.com (mx0.domain.com. [111.111.111.111])
        by mx.google.com with ESMTPS id q18si16300906wmg.171.2020.01.05.08.44.54
        for <me@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sun, 05 Jan 2020 08:44:54 -0800 (PST)
Received-SPF: pass (google.com: domain of srs0=fmel=22=github.com=noreply@domain.com designates 111.111.111.111 as permitted sender) client-ip=111.111.111.111;
Authentication-Results: mx.google.com;
       dkim=pass (test mode) header.i=@github.com header.s=pf2014 header.b=MGBfrKg6;
       arc=pass (i=1 dkim=pass dkdomain=github.com);
       spf=pass (google.com: domain of srs0=fmel=22=github.com=noreply@domain.com designates 111.111.111.111 as permitted sender) smtp.mailfrom="SRS0=FMEl=22=github.com=noreply@domain.com";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=github.com
X-Virus-Scanned: Yes
X-Spam-Flag: NO
X-Spam-Score: 0.152
X-Spam-Level: 
X-Spam-Status: No, score=0.152 tagged_above=-999 required=6.2 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, SURBL_BLOCKED=1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=192.30.252.203; helo=out-20.smtp.github.com; envelope-from=noreply@github.com; receiver=<UNKNOWN>
Authentication-Results: mx0.domain.com; dmarc=pass (p=none dis=none) header.from=github.com
ARC-Filter: OpenARC Filter v0.1.0 mx0.domain.com 5F88560736
Authentication-Results: mx0.domain.com; arc=none
ARC-Seal: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578242692; cv=none; b=Gxz/UoQ/cVYyPpEXRkDqIqJYa174Qts8kUmKjizrNZ6rl/ng9F263wHQwu2DIlqOyrP5mgPhTcpXxDVEOhQ52SRFfh79Iw527gWxP+KdBSHxjC3CfBUrpBvkR4S7DT2zORGxaucbpYYhoS2W83G9q8N2rxoOQix/jbtTNL1nBV/Kc3zmzFBGku/QOgFFI7IvAnygbmBmER/HIN57RRw8WdXsGFVbBiD9JIGMqE92TP7wPqBFRuBiKFp9h3ZywQkAOG8CPYn641koFtIJw2k1yNoxyEBaC86m+WGlmKLspwLF+njekkRSQT1RqCpaHd4W85NiGA2vu/h65pYmn84oaA==
ARC-Message-Signature: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578242692; c=relaxed/simple; bh=OeHAFYgpfq7hdCzWfH7qcEpoznna+XievF6VcPWm9nk=; h=Received-SPF:Received:DKIM-Signature:Date:From:Reply-To:To:Cc:
     Message-ID:In-Reply-To:References:Subject:Mime-Version:
     Content-Type:Content-Transfer-Encoding:Precedence:X-GitHub-Sender:
     X-GitHub-Recipient:X-GitHub-Reason:List-ID:List-Archive:List-Post:
     List-Unsubscribe:X-Auto-Response-Suppress:
     X-GitHub-Recipient-Address; b=DNYPK11+PTPjy9gAEDA6Ohv/ZuIShlLyKuiwyXLk/xT/ud4rbluYWXYj5xCVUh4A2YyakVg9lFsLvi4uwlTEaQmnl+juufvHKHQIfj3NQzH0JLOsiQiy2LDNBfHuTpYIiobyG0OrfilOstwnXwMgp5jy9M//ZfW6aYQ7mweIROzUay+tYmaV0BzV9OaPzrRP5rq66/exRudpXVmpLboiwKQ+6hJOiYNPkHeTD3sqy25yqAfEbEUT3aaikVTK+84I9nvgTix7o98dtTeat7D0rmV0fm2vzIuDhjd0H9cBSpLu4Gc/WJKhSq5uPWOKOUXj6w0njlij1h09IBkCLURZXw==
ARC-Authentication-Results: i=1; mx0.domain.com; dkim=pass (1024-bit key; unprotected) header.d=github.com header.i=@github.com header.b=MGBfrKg6; dkim-atps=neutral; arc=none
Authentication-Results: mx0.domain.com; dkim=pass (1024-bit key; unprotected) header.d=github.com header.i=@github.com header.b="MGBfrKg6"; dkim-atps=neutral
Received: from out-20.smtp.github.com (out-20.smtp.github.com [192.30.252.203]) by mx0.domain.com (Postfix) with ESMTPS id 5F88560736 for <mail@domain.com>; Sun,
  5 Jan 2020 16:44:52 +0000 (UTC)
Received: from github-lowworker-2ef7ba1.ac4-iad.github.net (github-lowworker-2ef7ba1.ac4-iad.github.net [10.52.16.66]) by smtp.github.com (Postfix) with ESMTP id 240778C006D for <mail@domain.com>; Sun,
  5 Jan 2020 08:44:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1578242685; bh=2b7U3dMs52xPA8n8LErBrTLrsTnfHHdnGRtlbTpSPXo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID:
     List-Archive:List-Post:List-Unsubscribe:From; b=MGBfrKg6xqJYkiUEeWu4xGmQoT9B8FF3VBqieeezmORCcz/Z0fdpmqOSD5J/p/DgZ
     2WTcJOi8/2IYtHElmKfyGwrjNCUPdLX+5R0AnNbquLvPeE1f/HNCzdPKoaGYuS5g1V
     9POlREWMk/2amPNL02bFOQEGG+qd79QJJdo5B8rw=
Date: Sun, 05 Jan 2020 08:44:45 -0800
From: kurta <notifications@github.com>
Reply-To: "trusteddomainproject/OpenARC" <reply+AAKZDJUHLDWDUELBARYPPR54D5CP3EVBNHHCBALOTU@reply.github.com>
To: "trusteddomainproject/OpenARC" <OpenARC@noreply.github.com>
Cc: lukas <mail@domain.com>, Author <author@noreply.github.com>
Message-ID: <trusteddomainproject/OpenARC/issues/124/570927963@github.com>
In-Reply-To: <trusteddomainproject/OpenARC/issues/124@github.com>
References: <trusteddomainproject/OpenARC/issues/124@github.com>
Subject: Re: [trusteddomainproject/OpenARC] Postfix implementation (#124)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5e12127d14d92_23e43ff2adacd96c527667"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kurta
X-GitHub-Recipient: mindrunner
X-GitHub-Reason: author
List-ID: trusteddomainproject/OpenARC <OpenARC.trusteddomainproject.github.com>
List-Archive: https://github.com/trusteddomainproject/OpenARC
List-Post: <mailto:reply+AAKZDJUHLDWDUELBARYPPR54D5CP3EVBNHHCBALOTU@reply.github.com>
List-Unsubscribe: <mailto:unsub+AAKZDJUHLDWDUELBARYPPR54D5CP3EVBNHHCBALOTU@reply.github.com>, <https://github.com/notifications/unsubscribe/AAKZDJWRBNIM2LGPQWHY77TQ4IE73ANCNFSM4KCY24YA>
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: mail@domain.com

[kurta]

But your forwarder can add its own DKIM signature. I see that it is doing SRS to address the SPF forwarding breakage.

On Sun, Jan 5, 2020, 12:43 lukas notifications@github.com wrote:

I think the issue with the missing DKIM is that ismymailworking.com does not use DKIM for whatever reason. Here is a header from a github-mail forwarded to my GMail:

Delivered-To: me@gmail.com Received: by 2002:a67:ce12:0:0:0:0:0 with SMTP id s18csp20652289vsl; Sun, 5 Jan 2020 08:44:54 -0800 (PST) X-Google-Smtp-Source: APXvYqyxvf4jB0mBR6igvjdHLd1ZfZK+LTIalWYiDEujK/a/uEggQYXSt1y7zqMdMrTM+/qD8bYo X-Received: by 2002:a5d:5704:: with SMTP id a4mr97989661wrv.198.1578242694748; Sun, 05 Jan 2020 08:44:54 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1578242694; cv=pass; d=google.com; s=arc-20160816; b=w80imn2lasBKiX1jJbV4VIAoOPPLIJtezgcQKkIb6YPyKiWlGfGEJJJ1+yX4rx4kUS hpK/PKI8EHZzGQnSIB073Ho4PXeZf0w1VxJ2IIMdJdN9Xps/XKP3gkEVNmlllC0Ph/9D NQ14Rt05nO3eCETGiBfnO8kSCherteBEk8rODnFIBLy82nZR72nANQkixUIcBuhMeyeS UUl+vZnWsT+M5ppAa3B4noi2Amr92WXVp+NPvk8RRqP2r9vFvY9ReqRwN0SPpVwbeITo btDcgrtxd8XYDfZqfb/nUV9oEzj+dmHq8cYExx85ggN2D20GEHXW7ZAxOWQyJj2d7Ya6 FTYA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-post:list-archive:list-id:precedence :content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:reply-to:from:date:dkim-signature :arc-filter; bh=2b7U3dMs52xPA8n8LErBrTLrsTnfHHdnGRtlbTpSPXo=; b=WJAa97GdiLGB7PHBvGTmySnEHFmAgjm4AaPHvMegHjQxEtvWAQ14AVJRqpIqHAk6E9 32rusXgWk9ogJ/hoqCw83FucIUIMUmWHxZsfz9ynbwDY44+BcKnB65Y1gXNlYUA5gU07 TqB5WTfyVkuP1cTNLkYvBdnX2j/azcZqWlrvua4oZdnuJHISlAvtvnKBO0wA8ONzuZsK wH+7kK2Uo+6diZSmMDC4/rRld90Veh3u9WrRMZ9AqmBohS5DuEUYPEPeDAWXQFpUQG0x CeYNtqB5vILTI0U0mN+zH4e/HLQvX18pff4MmIaIkT8CcyQzHxk9FQBLLmuOi78sTpId /p3A== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass (test mode) header.i=@github.com header.s=pf2014 header.b=MGBfrKg6; arc=pass (i=1 dkim=pass dkdomain=github.com); spf=pass (google.com: domain of srs0=fmel=22=github.com=noreply@domain.com designates 111.111.111.111 as permitted sender) smtp.mailfrom="SRS0=FMEl=22=github.com=noreply@domain.com"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=github.com Return-Path: SRS0=FMEl=22=github.com=noreply@domain.com Received: from mx0.domain.com (mx0.domain.com. [111.111.111.111]) by mx.google.com with ESMTPS id q18si16300906wmg.171.2020.01.05.08.44.54 for me@gmail.com (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 05 Jan 2020 08:44:54 -0800 (PST) Received-SPF: pass (google.com: domain of srs0=fmel=22=github.com=noreply@domain.com designates 111.111.111.111 as permitted sender) client-ip=111.111.111.111; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@github.com header.s=pf2014 header.b=MGBfrKg6; arc=pass (i=1 dkim=pass dkdomain=github.com); spf=pass (google.com: domain of srs0=fmel=22=github.com=noreply@domain.com designates 111.111.111.111 as permitted sender) smtp.mailfrom="SRS0=FMEl=22=github.com=noreply@domain.com"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=github.com X-Virus-Scanned: Yes X-Spam-Flag: NO X-Spam-Score: 0.152 X-Spam-Level: X-Spam-Status: No, score=0.152 tagged_above=-999 required=6.2 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, SURBL_BLOCKED=1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=192.30.252.203; helo=out-20.smtp.github.com; envelope-from=noreply@github.com; receiver= Authentication-Results: mx0.domain.com; dmarc=pass (p=none dis=none) header.from=github.com ARC-Filter: OpenARC Filter v0.1.0 mx0.domain.com 5F88560736 Authentication-Results: mx0.domain.com; arc=none ARC-Seal: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578242692; cv=none; b=Gxz/UoQ/cVYyPpEXRkDqIqJYa174Qts8kUmKjizrNZ6rl/ng9F263wHQwu2DIlqOyrP5mgPhTcpXxDVEOhQ52SRFfh79Iw527gWxP+KdBSHxjC3CfBUrpBvkR4S7DT2zORGxaucbpYYhoS2W83G9q8N2rxoOQix/jbtTNL1nBV/Kc3zmzFBGku/QOgFFI7IvAnygbmBmER/HIN57RRw8WdXsGFVbBiD9JIGMqE92TP7wPqBFRuBiKFp9h3ZywQkAOG8CPYn641koFtIJw2k1yNoxyEBaC86m+WGlmKLspwLF+njekkRSQT1RqCpaHd4W85NiGA2vu/h65pYmn84oaA== ARC-Message-Signature: i=1; a=rsa-sha256; d=domain.com; s=201808; t=1578242692; c=relaxed/simple; bh=OeHAFYgpfq7hdCzWfH7qcEpoznna+XievF6VcPWm9nk=; h=Received-SPF:Received:DKIM-Signature:Date:From:Reply-To:To:Cc: Message-ID:In-Reply-To:References:Subject:Mime-Version: Content-Type:Content-Transfer-Encoding:Precedence:X-GitHub-Sender: X-GitHub-Recipient:X-GitHub-Reason:List-ID:List-Archive:List-Post: List-Unsubscribe:X-Auto-Response-Suppress: X-GitHub-Recipient-Address; b=DNYPK11+PTPjy9gAEDA6Ohv/ZuIShlLyKuiwyXLk/xT/ud4rbluYWXYj5xCVUh4A2YyakVg9lFsLvi4uwlTEaQmnl+juufvHKHQIfj3NQzH0JLOsiQiy2LDNBfHuTpYIiobyG0OrfilOstwnXwMgp5jy9M//ZfW6aYQ7mweIROzUay+tYmaV0BzV9OaPzrRP5rq66/exRudpXVmpLboiwKQ+6hJOiYNPkHeTD3sqy25yqAfEbEUT3aaikVTK+84I9nvgTix7o98dtTeat7D0rmV0fm2vzIuDhjd0H9cBSpLu4Gc/WJKhSq5uPWOKOUXj6w0njlij1h09IBkCLURZXw== ARC-Authentication-Results: i=1; mx0.domain.com; dkim=pass (1024-bit key; unprotected) header.d=github.com header.i=@github.com header.b=MGBfrKg6; dkim-atps=neutral; arc=none Authentication-Results: mx0.domain.com; dkim=pass (1024-bit key; unprotected) header.d=github.com header.i=@github.com header.b="MGBfrKg6"; dkim-atps=neutral Received: from out-20.smtp.github.com (out-20.smtp.github.com [192.30.252.203]) by mx0.domain.com (Postfix) with ESMTPS id 5F88560736 for mail@domain.com; Sun, 5 Jan 2020 16:44:52 +0000 (UTC) Received: from github-lowworker-2ef7ba1.ac4-iad.github.net (github-lowworker-2ef7ba1.ac4-iad.github.net [10.52.16.66]) by smtp.github.com (Postfix) with ESMTP id 240778C006D for mail@domain.com; Sun, 5 Jan 2020 08:44:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1578242685; bh=2b7U3dMs52xPA8n8LErBrTLrsTnfHHdnGRtlbTpSPXo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=MGBfrKg6xqJYkiUEeWu4xGmQoT9B8FF3VBqieeezmORCcz/Z0fdpmqOSD5J/p/DgZ 2WTcJOi8/2IYtHElmKfyGwrjNCUPdLX+5R0AnNbquLvPeE1f/HNCzdPKoaGYuS5g1V 9POlREWMk/2amPNL02bFOQEGG+qd79QJJdo5B8rw= Date: Sun, 05 Jan 2020 08:44:45 -0800 From: kurta notifications@github.com Reply-To: "trusteddomainproject/OpenARC" reply@reply.github.com To: "trusteddomainproject/OpenARC" OpenARC@noreply.github.com Cc: lukas mail@domain.com, Author author@noreply.github.com Message-ID: trusteddomainproject/OpenARC/issues/124/570927963@github.com In-Reply-To: trusteddomainproject/OpenARC/issues/124@github.com References: trusteddomainproject/OpenARC/issues/124@github.com Subject: Re: [trusteddomainproject/OpenARC] Postfix implementation (#124) Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_5e12127d14d92_23e43ff2adacd96c527667"; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: list X-GitHub-Sender: kurta X-GitHub-Recipient: mindrunner X-GitHub-Reason: author List-ID: trusteddomainproject/OpenARC List-Archive: https://github.com/trusteddomainproject/OpenARC List-Post https://github.com/trusteddomainproject/OpenARCList-Post: mailto:reply@reply.github.com List-Unsubscribe: mailto:unsub+AAKZDJUHLDWDUELBARYPPR54D5CP3EVBNHHCBALOTU@reply.github.com, https://github.com/notifications/unsubscribe/AAKZDJWRBNIM2LGPQWHY77TQ4IE73ANCNFSM4KCY24YA X-Auto-Response-Suppress: All X-GitHub-Recipient-Address: mail@domain.com

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/trusteddomainproject/OpenARC/issues/124?email_source=notifications&email_token=AAGU3SJQMXBR6CDCQQOUJCDQ4JBATA5CNFSM4KCY24YKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEID7CUA#issuecomment-570945872, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGU3SOQEDWE7KQ734R4UQDQ4JBATANCNFSM4KCY24YA .

[gkohri]

@mindrunner I am trying to do the same thing, forward email to google. As it seems you have it working, can you give us some more details on how you did it? Thanks!

[mindrunner]

But your forwarder can add its own DKIM signature. I see that it is doing SRS to address the SPF forwarding breakage.

I assumed it is doing that and the setting for this is in postifx's main.cf

# Milters used by DKIM
milter_protocol = 6
milter_default_action = accept
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
arc_milter = inet:localhost:8894
smtpd_milters = $dkim_milter,$arc_milter,$dmarc_milter
non_smtpd_milters = $dkim_milter

Do you see any issue with this setup? Is my mailserver not adding it's signature? Sorry, I am still not super confident in reading mail headers.

I see that it is doing SRS to address the SPF forwarding breakage.

Yes, SRS is activated! :)

I am trying to do the same thing, forward email to google. As it seems you have it working, can you give us some more details on how you did it? Thanks!

@gkohri Sure, happy to assist. However, maybe you could ask more precisely what you need. See my PR to docker-mailserver for an entry point: https://github.com/tomav/docker-mailserver/pull/1363/files

[gkohri]

When I forward an email to google, this is what I see at the top of the chain:

Received-SPF: softfail (google.com: domain of transitioning me@hotmail.com does not designate 36.250.17.15 as permitted sender) client-ip=36.250.17.15; Authentication-Results: mx.google.com; dkim=pass header.i=@hotmail.com header.s=selector1 header.b=YPRIkYTB; arc=fail (missing mandatory fields); spf=softfail (google.com: domain of transitioning gkohring@hotmail.com does not designate 36.250.17.15 as permitted sender) smtp.mailfrom=me@hotmail.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hotmail.com

So, yes, the software is producing a ARC chain, but google seems not to like it.

[mindrunner]

Please tell us more about your whole setup. Also please post full Email headers from Google! :)

[gkohri]

Solved it. Perhaps it was my bad. I thought that with ARC we no longer needed SRS, but we do.

[jcapo]

On 2020-01-13 02:48, Greg Kohring wrote:

Solved it. Perhaps it was my bad. I thought that with ARC we no longer needed SRS, but we do.

ARC requires trust between the two parties. An ARC signature can be faked.