Is anyone here forwarding your bind-users messages to gmail or a google-hosted domain?

[Dan Mahoney]

Hey all,

I'm one of the people who admins ISC's mail servers, and also receives all 
our DKIM/SPF/DMARC failure reports.  (We use dmarcian.com)

We've seen a number of messages reported to us as having an isc.org "from" 
address, and as having our dkim signatures, but the signatures failing to 
verify, perhaps because a forwarder may have added a subject tag or 
rewritten some other header.  Of course, SPF also fails because those 
servers aren't in our SPF record.

This makes us look bad because it shows isc.org messages arriving at gmail 
in a non-compliant way, and it makes your mail servers look bad, because 
they're "spoofing" isc.org mail.

Worse, if ISC moves our dmarc record to a p=reject policy, you just won't 
get that email anymore, so it's definitely not future-proof.

Our dmarc reports only show us aggregates of the from/to/spf/dkim/dmarc 
status.  We can't easily inspect individual messages.

If this sounds like you, please do drop me a line privately at 
dmahoney at isc.org.  I'd love to work with you to ensure I understand what's 
going on and also see if we can make things work better for everyone.

Cheers,

-Dan