Tag Archives: Email

Why this DMARC pass by google?

I wrote a message to the mailing list (google groups) with plain text format. The content was just one sentence and “thank you” as end.

google groups will forward the message to everybody in the list. When forwarding, google will does a SRS (sender rewrite). So SPF has no contribution to DMARC validation in recipients. In this case, I use another gmail as test recipient.

And, google modified the message body, adding a signature at end. See screenshot below. The green part is my original content. The red part is the signature adding by google. So DKIM will break in the recipients.

What strange is, this message was labeled by google as “DMARC PASS”, see screenshot below.

My SPF, DKIM, DMARC settings:

linuxdeveloper.xyz. 299 IN TXT "v=spf1 include:spf.migadu.com ?all"

_dmarc.linuxdeveloper.xyz. 299 IN TXT "v=DMARC1; p=none;"

key1._domainkey.linuxdeveloper.xyz. 299 IN CNAME key1.linuxdeveloper.xyz._domainkey.migadu.com.

key2._domainkey.linuxdeveloper.xyz. 299 IN CNAME key2.linuxdeveloper.xyz._domainkey.migadu.com.

key3._domainkey.linuxdeveloper.xyz. 299 IN CNAME key3.linuxdeveloper.xyz._domainkey.migadu.com.

I can’t understand why this DMARC got passed by google. Both DKIM and SPF have no contribution to DMARC validation.

I asked this question on postfix’s mailing list. Thanks to our friend @Raf who gave the wonderful explanation. I quote his writing below.

Warning: This is just a theory, but it's the only
reasonable one I could think of.

Google is aware of the fragility of SPF/DKIM/DMARC when
it comes to mailing lists, which is why they use ARC:

Authenticated Received Chain (ARC) Protocol
https://tools.ietf.org/html/rfc8617 (Experimental)

ARC is a way for remailers to add an authenticated
chain of custody to an email, where they check
SPF/DKIM/DMARC when they receive the original email,
and then attest that each check passed or failed at
that time, and then they provide a DKIM-like signature
to prove that it was really them that made the
attestation.

If you look in the headers of a googlemail email,
you'll see these headers:

ARC-Seal
ARC-Message-Signature
ARC-Authentication-Results

There can be a set of these three headers for every
ARC-enabled remailer along the path. The googlegroups
email that I receive tends to have two sets, both added
as the mail passes between various google servers.

The ARC-Authentication-Results header contains the
SPF/DKIM/DMARC check results for the original mail, and
this gets copied up through the chain. The other two
headers in each set enable the receiver to check the
authenticity of its contents.

Gmail is probably checking the ARC chain and seeing
that DMARC was valid when googlegroups received the
original email, and that's what gmail is reporting to
you as a DMARC pass.

I'm not sure how much ARC is used. From my tiny
personal sample set, it's almost all Google and
Microsoft. So maybe that's a lot. And who checks it?
It's hard to tell. If gmail checks ARC but doesn't
mention it by name, perhaps other mail providers are
doing that too.

There is a milter for it called OpenARC, written by the
same group that wrote OpenDKIM and OpenDMARC, but it
seems to have been abandoned two years ago when it was
still in beta stage. And it doesn't get a mention in
the postfix setup tutorials that I've come across.
I can find people asking how to set it up, but not
so much in the way of satisfactory answers.

Without something like OpenARC, OpenDMARC is going to
produce lots of false positives because it doesn't know
to defer to ARC checking in the presence of ARC headers.

So ARC is probably needed for running the mailing lists. I will check them soon.

Will a forwarded message break the DMARC?

I have asked a question on postfix’s mailing list that, if a message from mail.ru (who has p=reject setting in their DMARC) was forwarded by Pobox to gmail, will gmail reject this message?

The list member @raf gave a wonderful answer below. I much appreciate it.

Maybe. It depends on lots of stuff. A DMARC check
passes if either SPF or DKIM pass, but (for DMARC
purposes), SPF only applies (and therefore can only
pass) when the From: domain matches the envelope sender
domain, and (for DMARC purposes) DKIM only applies (and
therefore can only pass) when the From: domain matches
the DKIM signing domain (d=).

If pobox.com uses its own envelope sender when
forwarding the email, then mail.ru's SPF doesn't apply
(because it wouldn't be the envelope sender domain
anymore). Instead, pobox.com's SPF applies (because
it's now the envelope sender domain). But pobox.com's
SPF doesn't apply to mail.ru's DMARC check. So SPF
wouldn't contribute to a DMARC check for mail.ru.

If pobox.com uses the original mail.ru envelope sender
then mail.ru's SPF will apply and it will fail (because
pobox.com won't be authorized by mail.ru's SPF). So it
won't contribute to a DMARC check for mail.ru either.

So, you can't count on SPF to get it through a DMARC
check for mail.ru.

The only other possibility is if the email was
DKIM-signed by mail.ru as well. If it wasn't, then
DMARC fails. If it was, and the email wasn't changed en
route in any way that invalidated the DKIM signature,
then DMARC passes. If the mail was modified too much,
then DMARC fails, but if pobox.com is just forwarding,
then it shouldn't have modified it in a way that
matters to DKIM.

And the DKIM signature has to have been signed with
mail.ru's DKIM key. Any other signing domain doesn't
apply for DMARC purposes.

So, if it's DKIM-signed by mail.ru, and pobox.com just
forwards it, and does nothing else other than adding
headers along the way, then it'll probably pass a DMARC
check for mail.ru. Otherwise, it won't.

Having said all that, what gmail does with it upon
arrival is entirely up to gmail.

How to use gmail as free email hosting

Gmail has great email features. Most people I know like their service.

But gmail for domain hosting is not cheap, the cheapest plan is $6/month in their pricing page. Here I show a way which is cheap and solid for your domain email hosting on gmail.

Firstly you need a pobox.com basic account, which is $20/year, much cheaper than gmail workspace.

What features does pobox provide? It includes:

  • Email forwarding: forward all your incoming email to the destination, such as gmail.
  • Outgoing SMTP relay: you can send email using pobox’s solid SMTP server.
  • Email antispam: it has good antispam capability which can filter most spams for you.

After you have got pobox account, you can setup your domain there. Just add domains in their management panel, and point your domain’s MX to their servers.

For example, my blog domain is using pobox’s forwarding service. MX setup:

blog.cloudcache.net. 299 IN MX 5 mx-1.pobox.com.
 blog.cloudcache.net. 299 IN MX 5 mx-2.pobox.com.
 blog.cloudcache.net. 299 IN MX 5 mx-3.pobox.com. 

SPF setup:

blog.cloudcache.net. 299 IN TXT "v=spf1 include:pobox.com ?all" 

Then, create an email address in pobox’s management panel, setup the destination to your gmail. Such as:

[email protected] --> [email protected]

Now, pobox will forward domain email to gmail. You can test it by sending a message to domain email, it will appear in your gmail inbox.

The last step, in gmail’s “Accounts” setting, create an outgoing email address, using pobox as SMTP server. The sample setting as below:

The setting details:

  • SMTP server: always be smtp.pobox.com
  • Port: 465 for SSL
  • Username: your domain email created on pobox
  • Password: the “App-specific Password” for pobox account, you must create one before using their SMTP service.

After the setting done, you can use “smtp.pobox.com” as outgoing server for sending email. All your outgoing messages will be relayed via pobox’s SMTP servers. Pobox has been stayed in email delivery industry for almost 30 years, they are solid enough for delivering your messages.

And, you are using your domain email as the real sender when sending email through pobox’s SMTP servers. If you have used gmail’s SMTP as outgoing server, the real sender would be gmail itself, not your domain email.

That’s to say, pobox would not leak information for your real email address (gmail). This is important for privacy protection.

Until now, all is doing well. You can begin to use your domain email, which is hosted by pobox.com, and operated by gmail.

Batch checking the existence of gmail accounts

When you try to register a gmail account, you most probably found all the usernames you desired have been taken.

So, a good tool for batch checking the available mailboxes becomes attractive.

Here I show a method used by myself. It’s a simple perl script:

#!/usr/bin/perl 

 use strict;
 use Gmail::Mailbox::Validate;
 
 my $username = shift || die "$0 username\n";
  
 my $v = Gmail::Mailbox::Validate->new();
 print "$username mailbox exists\n" if $v->validate($username); 

Given the username, this script will tell you if this mailbox at google exists.

For example:

$ ./gmbox wesley9807
 wesley9807 mailbox exists

$ ./gmbox wesley98076
 

The first one tell you username “wesley9807” exists. The second one returns nothing, that username may not be registered. So, you may have the chance to register the username “wesley98076”.

Please notice: The second command returns nothing, it does mean this username has no mailbox at google. But, it still does not mean you can take this username.

For example, google seems keep some good usernames, which have no mailboxes, but you can’t register for them. And, a google user may choose to delete his/her mailbox, but keep the other google service running (google drive etc), so you can not register this mailbox too.

Anyway with this method you can check a lot of usernames quickly. There is no need to try them one by one from google’s registration page.

How to install the required perl module? just use cpanm tool. For example:

$ sudo cpanm Gmail::Mailbox::Validate
 Gmail::Mailbox::Validate is up to date. (0.01) 

The last, you should not abuse it, otherwise google may block your IP or networks.

Vodafone Germany email migrated to their own platform

I had a vodafone.de email for long days. In the past days, Vodafone Germany hosted their email on Open Xchange, which brought me the worse experience.

Open Xchange is an open source email hosting solution. It has rich features include email, cloud, contact, calendar, push notify, docs etc. It has got a lot of customers during its years of operations. For example, Namecheap, IONOS, Virgilio.it are using their services.

But I don’t like this platform. It is developed by PHP language. It’s slow and not solid. Somethings I can’t open the page, and new email flushing is delayed.

I think many customers at Vodafone.de had the same feelings as me. While I am glad to see recently Vodafone.de has migrated their email service to their own platform, which is the same one as their global platform, such as Vodafone UK.

Their own platform is written by ASP language. It’s clean and fast, and more solid than the OX one. It has the main features of a modern online service, including email, cloud, calendar, contact, note etc.

Comparing to the old OX platform, I much like this new one. I wish vodafone.de gets better and better in their new days.