-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DMARC Alignment Issue #382
Comments
By the way, thank you guys so much for creating and maintaining this tool. I cannot believe DKIM isn't natively built in to On-prem Exchange. dkim-Exchange has been a life-saver for me. After looking into my issue further and downloading the repo: Since DMARC alignment is based on the message header FROM address, I propose that dkim-exchange should prioritize the message header FROM domain when signing messages instead of the Envelope/Return-Path domain. In most cases these domains will be the same; however, in cases like mine, when Return-Path and Message Header From domains are intentionally different, relying on Return-Path will break DMARC alignment - and I don't see any downsides to using the message header FROM address as the first option. Something like this:
... |
As the development seems not to be existent at the moment I would nope hope to much for a solution in the near future. If you look back in the existing issues, there are at least 2 other issues that describe similar problems with empty sender mails like OOF or NDR. We are on a Exchange hybrid infrastructure and if users in ExO are sending with their alias addresses (SendFromAliasEnabled) the mails will be signed with the wrong domain (sender domain instead from domain), as you described. |
I guess the cause for this behaviour is that Exchange (2013 and onwards, including online) always resolve the P1 header to the user Primary SMTP Address, and this is by design. DKIM is only applied to P1 (envelope) headers, such as MAIL FROM, and not to P2 (message) headers, like FROM. If you see, even in Exchange Online, there has been work to ensure P1 match either the sender or recipient domain, and there is no more tenant attribution based on P2. I'd say it's best to correct the P1/P2 mismatch, ensuring they are on the same domain, rather than signing the P2 FROM. |
I'm trying to solve a DMARC alignment issue.
A custom application generates and sends sends mail (to the Pickup directory) from [email protected] behalof of [email protected] and collects bounces in the [email protected] mailbox for central processing.
This has worked well for decades, adding SPF and then DKIM-exchange in recent years; however, I noticed deliverability issues recently due to DMARC alignment fails. After googling for a solution, the only way that I can imagine solving the issue, while maintaining different Header From/Envelope From address domains, is to maybe sign the e-mails going out with a DKIM signature provided to me by clientdomain.com.
Is this possible with dkim-exchange? If I set up clientdomain.com in dkim-exchange with a key provided by the client, will it sign e-mails based on the Header From address, or the Envelope From address? I'm assuming it will sign based on the Envelope From address which wouldn't really solve my problem would it?
Is there a way to DKIM-sign based on the Header From address instead of the Envelope From address?
Any thoughts/input are appreciated.
Kind Regards,
Charlie
The text was updated successfully, but these errors were encountered: