Is anyone here forwarding your bind-users messages to gmail or a google-hosted domain?
Dan Mahoney
dmahoney at isc.org
Tue Apr 19 21:50:35 UTC 2022
Hey all,
I'm one of the people who admins ISC's mail servers, and also receives all
our DKIM/SPF/DMARC failure reports. (We use dmarcian.com)
We've seen a number of messages reported to us as having an isc.org "from"
address, and as having our dkim signatures, but the signatures failing to
verify, perhaps because a forwarder may have added a subject tag or
rewritten some other header. Of course, SPF also fails because those
servers aren't in our SPF record.
This makes us look bad because it shows isc.org messages arriving at gmail
in a non-compliant way, and it makes your mail servers look bad, because
they're "spoofing" isc.org mail.
Worse, if ISC moves our dmarc record to a p=reject policy, you just won't
get that email anymore, so it's definitely not future-proof.
Our dmarc reports only show us aggregates of the from/to/spf/dkim/dmarc
status. We can't easily inspect individual messages.
If this sounds like you, please do drop me a line privately at
dmahoney at isc.org. I'd love to work with you to ensure I understand what's
going on and also see if we can make things work better for everyone.
Cheers,
-Dan
More information about the bind-users
mailing list