Menu
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
500 Views
Message 1 of 8
Flag for a moderator

DMARC rejection - A practical example

Hi

I'm seeing a few posts where people are complaining that mails are being bounced with the following reasons.

DMARC validation failed with result 4.00:reject
DMARC validation failed with result 3.00:quarantine

FWIW I'm asking questions about the second result, as AFAIK the quarantine result should result in the mail being held for checking rather than being rejected outright,  The best outcome for a quarantine result SHOULD in my opinion be that the mail is delivered to the spam folder.

DMARC validation relies on the results of SPF and DKIM checks.  Should either of these fail then the sending domain is checked for a DMARC record and the policy in that record is followed.

I sent a mail from my yahoo.co.uk address to my personal address which is managed by Google with a rule to forward the mail on to my blueyonder address.

Now the mail dutifully arrived in my personal inbox but I then get an email from Google

Delivery to the following recipient failed permanently:

     myaddress@blueyonder.co.uk

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the recipient domain blueyonder.co.uk by mx.mnd.ukmail.iss.as9143.net. [212.54.58.11].

The error that the other server returned was:
552 5.2.0 L2jH1u00J15oLYH012jHbZ DMARC validation failed with result 4.00:reject

Checking the attached mail showed the following

Received-SPF: pass (google.com: domain of yahooaddress@yahoo.co.uk designates 98.138.229.48 as permitted sender) client-ip=98.138.229.48;

And also

 dkim=pass header.i=@yahoo.co.uk;

Finally I saw.

 dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.co.uk

Ok so nothing there to show why Virgin rejected it - is passes SPF and DKIM right?

Wrong - these are the results from the mail when it was sent FROM Yahoo TO Google.

When I looked at the body of the mail in the bounce message I see the following.

Forward this now

 

--
Test footer

Yet the original mail body was simply

Forward this now

 

And here we actually have the cause of the problem.  The mail server has a setting to add an automatic footer to outgoing mails.  The kind that usually have legal information  (Note this is different to the email signatures individual users can set up in settings).

Now here's the problem.  Google actually adds this mail even when relaying the mail on to a new destination.

This violates the mail RFC's which state that a mail server MUST NOT change the mail in any way EXCEPT by adding it's own headers to the beginning of the mail.  DKIM relies on mail forwarders NOT violating this rule.

By adding the footer to a forwarded mail Google actually causes the DKIM check by Virgin Media's inbound server to fail.

After this the DMARC policy which is set by Yahoo is queried and acted upon - hence the mail ends up being rejected.

Note: that to the unwary this means that Virgin Media are incorrectly rejecting a legitimate mail.  However the opposite is in fact true.  The mail was legitimately rejected.

So far reasons I've found for DMARC fails tend to fall into two categories.

  1. Forwarding issues affecting either DKIM or SPF - note DKIM SHOULD survive forwading provided the body and selected headers are not modified.  SPF on the other hand doesn't survive forwarding.
  2. Sender not using recommended email settings for their email address.
    Notable examples of this have been with TalkTalk domains.  The sender continues to use their old TalkTalk address but sends through their current ISP's email servers.  While this used to be acceptable SPF and DMARC means that senders SHOULD always use the correct mail servers for their address.

Final Note: SPF, DKIM and DMARC are valuable tools in the fight to protect emails from being spoofed by spammers.  I welcome these tools, but the email community as a whole needs to move with the times.

Ravenstar68

 

________________________________________


Only use Helpful answer if your problems been solved.

  • 7.36K
  • 830
  • 3.1K
Superuser
Superuser
488 Views
Message 2 of 8
Flag for a moderator

Re: DMARC rejection - A practical example

This must be immediately added to your e-mail FAQ at:

http://community.virginmedia.com/t5/Email/Ravenstar-s-Email-FAQ-s/td-p/3169662

I will ask the Mods to do so if you haven't already! @ModTeam

Nothing short of brilliant work.

-----------------------

Superuser 2017/18
Use Kudos to say thanks
Mark answer as "helpful" only when the problem is solved
Please don't send me private messages unless I ask you to.
I do not work for VM. The advice I give is based on my best understanding of VM policy and practice. You rely on it at your own risk.
0 Kudos
Reply
  • 4
  • 0
  • 0
Streamerjohn
Joining in
470 Views
Message 3 of 8
Flag for a moderator

Re: DMARC rejection - A practical example

Hi Ravenstar68,

I was just about to start a new thread on this same topic when I saw that you had beaten me to it.  As per your advice in the earlier thread, I have collected some information from senders who have had their mails to me bounced back citing a DMARC failure and have attached an example below in the hope that it tells you something about the reasons for the problems.  I believe that all senders using the same domain (170,000 plus at the last count) get their emails to me bounced with a similar DMARC message, sometimes with quarantine, sometimes with reject, and although they haven't all tried to get in touch, it could be causing them some inconvenience too.  Some background:

- the problem started about 3 weeks ago after 13 years of reasonably trouble free emailing using my same address at ntlworld.com. 

- I think the last message got through on the 18th of November.  I don't know if this coincides with any changes at VM but it might help to narrow down what suddenly started the emails being rejected.

- I have only had reports from the users at this particular domain that there is a problem reaching me, no-one else has contacted me (by means other than my ntlworld.com email) to flag that there is a problem.  I guess that there could be other domains that can't get through, but I have no way of knowing.

- I have no problems sending emails to addresses in this domain, only receiving them.  Direct replies to my emails and delivery and read receipts for my original outgoing messages on ntlworld.com  are also blocked, but these facilities on my alternative email address/domain all function correctly.

- emails from the blocked domain get through without a problem on the alternative email address.

- my VM settings are to have all spam filters off, so the massages are not being re-directed anywhere else and I do not get notifications or emails into my spam folders.

- I use Microsoft Outlook as my mail client (not outlook.com) and have since many years, not only for the ntlworld.com account but also for business accounts in the past.  My PC is running Win 10.

- VM have checked my account settings twice in the past two weeks and have even taken over my PC using LogMeIn to check that problems are not at my end.  They are happy that they are not.

A bounce message typical of the ones that senders receive is attached below as requested, suitably sanitised.  I do have others if more examples are required.  The bounce message to the sender reads:

mx1.mnd.ukmail.iss.as9143.net rejected your message to the following email addresses:
Streamerjohn(my.address@ntlworld.com)
There's a problem with the recipient's mailbox. Please try resending the message. If the problem continues, please contact your email admin.
mx1.mnd.ukmail.iss.as9143.net gave this error:
LCRY1u00B2Uskg801CRZKg DMARC validation failed with result 3.00:quarantine

Diagnostic information for administrators:
Generating server: HE1PR0101MB1578.eurprd01.prod.exchangelabs.com
Total retry attempts: 1
my.address@ntlworld.com
mx1.mnd.ukmail.iss.as9143.net
Remote Server returned '554 5.2.0 LCRY1u00B2Uskg801CRZKg DMARC validation failed with result 3.00:quarantine'
Original message headers:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=Unilever.onmicrosoft.com; s=selector1-unilever-com;
h=FromSmiley Very HappyateSmiley Frustratedubject:Message-ID:Content-Type:MIME-Version;
bh=W1DBhLGIid4eOTuvrh0w7i8Si/zqtrpQ5hWTB+Bg3Bk=;
b=FwLw6c1zZZx4xhOCCgbQaZ2Qqen3noHfASsxKdaey+bommzVHvhG9Al9u7dih5/bPfd3VEEfyqC7wyCO77eaOzf1GtswE4Ng4eCm2vjxb9LbutIUl565AXvPBCzNyQjtNnFdLshvTx7ZKX01nYvo6rr0l7XAuIfE1mVOaTdjc6Y=
Received: from HE1PR0101MB1578.eurprd01.prod.exchangelabs.com (10.166.118.136)
by HE1PR0101MB1578.eurprd01.prod.exchangelabs.com (10.166.118.136) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.771.8; Thu, 15 Dec
2016 12:14:59 +0000
Received: from HE1PR0101MB1578.eurprd01.prod.exchangelabs.com
([10.166.118.136]) by HE1PR0101MB1578.eurprd01.prod.exchangelabs.com
([10.166.118.136]) with mapi id 15.01.0771.014; Thu, 15 Dec 2016 12:14:58
+0000
From: AJ<Acontact@unilever.com>
ToSmiley Frustratedtreamerjohn at another email address
CC: Streamerjohn <my.address@ntlworld.com>
Subject: RE: A favour to ask.
Thread-Topic: A favour to ask.
Thread-Index: AdJWQOxaUZCG1meySv+awTJelX+6kgAi8/UQ
Date: Thu, 15 Dec 2016 12:14:58 +0000
Message-ID: <HE1PR0101MB1578AF175CD211636ECD395E9A9D0@HE1PR0101MB1578.eurprd01.prod.exchangelabs.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAAE305ODPRxMt+qtJdKYf/ABAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAAAX2oiBJCVxSIJczAzEG6Z+AQAAAAA=@streames.co.uk>
In-Reply-To: <!&!AAAAAAAAAAAuAAAAAAAAAAE305ODPRxMt+qtJdKYf/ABAMO2jhD3dRHOtM0AqgC7tuYAAAAAAA4AABAAAAAX2oiBJCVxSIJczAzEG6Z+AQAAAAA=@streames.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
smtp.mailfrom=Acontact@unilever.com;
x-originating-ip: [122.54.30.41]
x-ms-office365-filtering-correlation-id: ed740a29-8494-4db2-e0ad-08d424e3fd2d
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEIDSmiley Sad22001);SRVR:HE1PR0101MB1578;
x-microsoft-exchange-diagnostics: 1;HE1PR0101MB1578;7:IxKHdoIFZpZzG9koq8lRQKQ/EILmMDaC2CqUhW3gqr12USclRziVmu/psobNUEkKJ+3zxi/KrKBsTLYxi+0XLhJ9tosPkL9/1FOszBf2YUdbjvsZ688ab3wzUa0q4+0aLmRbyoSZFDNHhUPP7s8DR3LIj9nW+6ATh9cLmQ9QTKIG673Xz8exQOEPPYL2trEkGSuXhJ9phmHojx+cLMQ8AXaujOhruKJQazlZnHNawX6cyameJXFHcOCUHR7l25HpcZ9x3MoeWlqvuGMT6KRyfb1mBsdidmnak1TY8XZbL76MS8eTEESf+rMPNESi+0wXUxf5BbwjxEOcRQWBjAEg59KVwZBt7Fs9vLrujk6rOfJ5TgRLhzwso9pgQX8i8BiZcUOSl+7FHm35aEz9lBYuGeFRWOEvox7+WQ9GG+TR5rC1zfJITwJ4LCpUE8gklT5FWAubqWDq1ZpYfseZvbZoww==
x-microsoft-antispam-prvs: <HE1PR0101MB157851859AB9BB40C1857E249A9D0@HE1PR0101MB1578.eurprd01.prod.exchangelabs.com>
x-exchange-antispam-report-test: UriScanSmiley Sad161201523670673)(193647997267488)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEIDSmiley Sad102415395)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(6041248)(20161123562025)(20161123560025)(20161123564025)(20161123555025)(6072148);SRVR:HE1PR0101MB1578;BCL:0;PCL:0;RULEID:;SRVR:HE1PR0101MB1578;
x-forefront-prvs: 0157DEB61B
x-forefront-antispam-report: SFV:NSPM;SFSSmiley Sad10019020)(7916002)(39850400002)(39450400003)(39840400002)(39410400002)(39860400002)(199003)(55674003)(189002)(377454003)(6116002)(790700001)(2900100001)(229853002)(2950100002)(345774005)(6916009)(3480700004)(9686002)(8936002)(122556002)(8666005)(2906002)(4326007)(86362001)(92566002)(3846002)(3660700001)(8676002)(102836003)(189998001)(81166006)(74316002)(7736002)(76176999)(105586002)(5660300001)(106356001)(7906003)(101416001)(54356999)(3280700002)(50986999)(25786008)(733005)(68736007)(6436002)(66066001)(77096006)(38730400001)(99936001)(7696004)(6506006)(97736004)(81156014)(33656002)(110136003)(606005)(7099028)(7059030);DIRSmiley SurprisedUT;SFP:1102;SCL:1;SRVR:HE1PR0101MB1578;H:HE1PR0101MB1578.eurprd01.prod.exchangelabs.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en;
received-spf: None (protection.outlook.com: unilever.com does not designate
permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/related;
boundary="_004_HE1PR0101MB1578AF175CD211636ECD395E9A9D0HE1PR0101MB1578_";
type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: unilever.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2016 12:14:58.7068
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f66fae02-5d36-495b-bfe0-78a6ff9f8e6e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0101MB1578

I am sure the information means a lot more to you than it does to me but I am learning all the time and hope to learn even more from this issue.  Any suggestions or solutions will be a great help not only to me but also to the Clients' IT and to the employees at that domain who are not just having trouble reaching me but also anyone else on the ntlworld.com domain.

Many thanks for picking this up,

Streamerjohn

0 Kudos
Reply
  • 4
  • 0
  • 0
Streamerjohn
Joining in
466 Views
Message 4 of 8
Flag for a moderator

Re: DMARC rejection - A practical example

Hi again,

I have just re-read my post and noticed all the emoticons it now sports.  This has nothing to do with me and must be an ASCII character glitch.  If it affects your understanding of the post please post again to let me know and I will try and try and re-post the message without the irrelevant components.

Many thanks,

SJ

0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
456 Views
Message 5 of 8
Flag for a moderator

Re: DMARC rejection - A practical example

Re the character glitch - I tend to use the Insert code Icon (looks like a page with </> on it in the toolbar.

BTW I'm using a Ubuntu Linux with dnsmasq - so ignore the fact that the DNS server address is 127.0.1.1 I'm actually using Virgin Media's DNS servers.

First thing I note is the sending domain - unilever.com

So lets have a look at it's DMARC record

> _dmarc.unilever.com
Server:         127.0.1.1
Address:        127.0.1.1#53

Non-authoritative answer:
_dmarc.unilever.com     text = "v=DMARC1; p=quarantine; rua=mailto:dmarc@unilever.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; sp=none"

Note the p=quarantine - which means that mails failing DMARC should be quarrantined.  Which falls into line with the reason for the rejection.

Remote Server returned '554 5.2.0 LCRY1u00B2Uskg801CRZKg DMARC validation failed with result 3.00:quarantine'

As noted in the original post - I'm asking Virgin why they are rejecting mail with a DMARC policy of quarantine.  But the fact is at the very least with that outcome the mail SHOULDN'T end up in your Inbox, I'd prefer it to be marked as spam rather than rejected though.

So why is the mail being failed?  Well I had a look at the server reporting the error and that appears to be a Microsoft server.  Looking at the SPF record for unilever.com

unilever.com    text = "v=spf1 include:sharepointonline.com include:unilever-uk.trclient.com include:nw010.com " "ip4:141.146.165.27 ip4:141.146.165.28 ip4:96.43.147.0/25 ip4:136.146.128.0/25 ip4:204.14.232.0/25 ip4:85.222.130.224/26 ip4:182.50.78.0/25 " "ip4:194.60.111.172 ip4:194.60.111.164 ip4:194.60.111.165 ip4:194.60.111.166 ip4:194.60.111.167 ip4:194.60.111.169 ip4:194.60.111.170 ip4:194.60.111.171 " "ip4:174.143.100.191 ip4:67.192.139.34 ip4:67.192.157.83 ip4:134.213.38.184 ip4:134.213.38.185 ip4:134.213.43.128 ip4:156.51.31.71 ip4:162.61.224.50 ip4:213.177.33.153 ip4:54.240.8.0/23 ip4:89.234.41.53 " "ip4:160.34.64.0/27 ip4:208.185.229.40/29 ip4:208.185.235.40/29 ip4:208.185.229.197 ip4:208.185.229.198 ip4:208.185.229.199 ip4:208.185.235.197 ip4:208.185.235.198 ip4:208.185.235.199 " "ip4:96.43.144.64 ip4:96.43.144.65 ip4:96.43.148.64 ip4:96.43.148.65 ip4:96.43.151.0/25 ip4:136.146.208.16/27 ip4:136.146.210.16/27 ip4:136.147.46.224/26 ip4:136.147.62.224/26 ip4:204.14.234.0/25 ip4:52.68.233.169 ip4:54.178.172.43 " "ip4:62.128.223.55 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:213.129.90.104 ip4:84.45.15.6 ip4:188.95.0.38 ip4:188.95.7.6 ip4:5.61.115.80/28 ip4:5.61.115.96/28 ip4:5.61.115.112/28 " "ip4:185.79.140.0/22 ip4:202.129.242.0/23 ip4:194.11.253.147/28 ip4:194.4.230.80/28 ip4:194.4.230.79 ip4:194.11.253.134 ip4:194.11.253.135 ip4:205.223.230.229 ip4:62.6.153.165 ip4:5.61.115.0/24 ip4:208.92.178.200 ip4:208.92.176.200 " "ip4:208.92.177.152 ip4:107.20.210.250 ip4:54.229.2.165 ip4:54.153.131.110 ip4:52.1.14.157 ip4:52.30.130.201 ip4:54.66.252.242 ip4:107.23.16.222 ip4:52.17.45.98 ip4:54.173.83.138 ip4:52.16.190.81 ip4:212.247.0.242 " "ip4:212.247.0.243 ip4:134.213.242.70 ip4:194.204.27.131 ip4:194.204.0.4 ip4:82.199.250.65 ip4:176.74.168.123 ip4:113.192.243.106 ip4:113.192.243.107 -all"

Now that's a rather large SPF record but unless I'm missing my guess it doesn't include Microsoft's exchange servers which are used by office365 domains.  So I'm willing to theorise that the mail was failed on the basis of invalid SPF

Personally I'm not even sure that SPF record needs to include all those IP blocks but then again I don't know how Unilever's outbound mail works so I'll give it the benefit of the doubt.

My question here would be - is the sender using email servers recommended by Unilever to send their mail?

Ravenstar68

@Streamerjohn Have you tried asking them to send to a Gmail address and then if the mail is received viewing the headers on the received mail?

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
450 Views
Message 6 of 8
Flag for a moderator

Re: DMARC rejection - A practical example

BTW I do find this odd in the header

received-spf: None (protection.outlook.com: unilever.com does not designate
permitted sender hosts)

As seen above unilever.com does indeed designate permitted sender hosts.

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
413 Views
Message 7 of 8
Flag for a moderator

Re: DMARC rejection - A practical example

@Streamerjohn

I've had a brainwave.  While it doesn't directly tell me about the outbound mail servers unilever.com uses, I decided to have a look at their inbound servers by viewing their mx records.

 

> set type=mx
> unilever.com
Server:  cache1.service.virginmedia.net
Address:  194.168.4.100

Non-authoritative answer:
unilever.com    MX preference = 10, mail exchanger = unilever-com.mail.protection.outlook.com
>

This tells me that they use do use Microsoft as their mail host.  But the one thing I don't see in their SPF record is this

 

 

include:spf.protection.outlook.com

Now I have taken out one of the ip4: terms from the above entry and searched it against the current spf entry for unilever.com, in case they'd indulged in record flattening but when i search for example

 

ip4:207.46.101.128/128 - which is in spf.protection.outlook.com - I find that it is not in the unilever.com spf record.

@Nicola_C or @Jen_A - can you ask the email team to check the reason for the dmarc rejection?  I'm now 100% certain it's going to have been rejected based on an SPF fail.  Which means unilever would need to look at their SPF record.

Ravenstar68

Edit information on SPF records used by Office 365 can be found here - https://technet.microsoft.com/en-GB/library/dn789058(v=exchg.150).aspx

I do note it says that you no longer need a different SPF record when using sharepoint online.

________________________________________


Only use Helpful answer if your problems been solved.

0 Kudos
Reply
  • 13.64K
  • 719
  • 4.72K
Superuser
Superuser
314 Views
Message 8 of 8
Flag for a moderator

Re: DMARC rejection - A practical example

I wanted to post some information on the original issue I've highlighted.

I've been in touch with Google to discuss this, and their answer was to set up alternate routing so the mail was not only delivered to my G-Suite inbox but also to my blueyonder address.

Here's one such mail.

 

Return-Path: <yahooaddress@yahoo.co.uk>
Delivered-To: myaddress@blueyonder.co.uk
Received: from md24.tb.ukmail.iss.local ([212.54.57.71])
	by mc8.tb.ukmail.iss.local (Dovecot) with LMTP id GMoeDxd5WljNCQAAVqD7fw
	for <myaddress@blueyonder.co.uk>; Wed, 21 Dec 2016 13:45:31 +0100
Received: from mx4.tb.ukmail.iss.as9143.net ([212.54.57.71])
	by md24.tb.ukmail.iss.local (Dovecot) with LMTP id gU5XP9KmsFbNVwAAgdd7XA
	; Wed, 21 Dec 2016 13:45:31 +0100
Received: from mail-it0-f69.google.com ([209.85.214.69])
	by mx4.tb.ukmail.iss.as9143.net with bizsmtp
	id NclU1u00J1WQR9d01clWm4; Wed, 21 Dec 2016 13:45:31 +0100
X-SourceIP: 209.85.214.69
X-CNFS-Analysis: v=2.2 cv=UcwhcOaN c=1 sm=1 tr=0
 a=qJCClHO3jD6NaAGTFbeooQ==:117 a=WxmG9SnyG9QA:10 a=n5n_aSjo0skA:10
 a=jZvlvdsFt1_0Fbj0q70A:9 a=QEXdDO2ut3YA:10 a=_W_S_7VecoQA:10 a=3BuVdkwLUzEA:10
Received: by mail-it0-f69.google.com with SMTP id o141so135825061itc.1
        for <myaddress@blueyonder.co.uk>; Wed, 21 Dec 2016 04:45:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:dkim-signature:date:from:reply-to:to:message-id
         :subject:mime-version:references:content-length;
        bh=qVr0LIsKkmxwDyut040DyxpmsCr73beeaFWWJoOhNjg=;
        b=BdTO/fqEDw5RaQxYhZBNjJVj9hb1gPnhGAxQpI15iIM7W6UWNCVK8QaKbjWHZLIPxj
         32pdQW+eGw/rmnNjuB8wbyZkVJs15Qdl9gAGW/IfT5SrIS6ZUpPMK+Dqj0rD7y+/7vxn
         fJ9xEAsLKXcF2siSqtRTOshMeYDwx6qEPH/Qcj0h44ac0XoC3lrrKO4ZPCMdic+LByvV
         ii3gG/gYB+OgBqk0sH7sKnMwndkaFxjAqz2pAnbPRZYPdfhE7iGrgjZCUpYGUEehnsyc
         GbFo0Jv6JCxE23Xsx919y5wUbIIeripcUEZt4UJyONZCgU50Egs5ic8D48RGJ947rNds
         1R1w==
X-Gm-Message-State: AIkVDXJhoYUTcXHpBY7GP3VfloaaJNMnyYR97G1USy5NiZnlwHGx/s1EonfzZnub+YvUQvQwqSVkhBGM9iE2wR1rELs2no3PbUpw6lrTDY6/sfh5/9SAH++yY7vTrrysDHpflFkkcxtHw2PXZ/2t5jj4OCL94zte0ipYVIwpKOmiXzLga2rwe8bOFo7nsU5h
X-Received: by 10.107.26.15 with SMTP id a15mr4879432ioa.103.1482324328110;
        Wed, 21 Dec 2016 04:45:28 -0800 (PST)
X-Received: by 10.107.26.15 with SMTP id a15mr4879407ioa.103.1482324327716;
        Wed, 21 Dec 2016 04:45:27 -0800 (PST)
Return-Path: yahooaddress@yahoo.co.uk>
Received: from nm37-vm4.bullet.mail.ne1.yahoo.com (nm37-vm4.bullet.mail.ne1.yahoo.com. [98.138.229.132])
        by mx.google.com with ESMTPS id q83si16403463itd.125.2016.12.21.04.45.27
        for <me@timothydutton.co.uk>
        (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 21 Dec 2016 04:45:27 -0800 (PST)
Received-SPF: pass (google.com: domain of yahooaddress@yahoo.co.uk designates 98.138.229.132 as permitted sender) client-ip=98.138.229.132;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@yahoo.co.uk;
       spf=pass (google.com: domain of yahooaddress@yahoo.co.uk designates 98.138.229.132 as permitted sender) smtp.mailfrom=yahooaddress@yahoo.co.uk;
       dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1482324327; bh=qVr0LIsKkmxwDyut040DyxpmsCr73beeaFWWJoOhNjg=; h=Date:From:Reply-To:To:Subject:References:From:Subject; b=mX5Lcq+hJ9FrH00wJUqm5CB0/gVVvZQfUSnXYfQMIfztJnuoj3oxcim9urHYCJZUiZ+gRR+Nxq9YIVUztjeT2Ah6Nok6fxo7SkAFPvXPyvKaJ0b11+8H5aWkU3bVN4q+16z1j5YYWnkAalNUhMN8U26kiqMPRIZ61lpGHheHM/Zl5qCevxlwMWIzS7rwqoKO7PPJiGavJOfhhRlIRBMXhqdYvtkFxws8Etm5lm9l9qH7VKQvurT9bdk+aaL43N4RLEFW00NiYrUvkoeW22tbZ/yTovWkHz+FBN91N1eMKdWhrTOH5rM7kXUYUuX79HZGHvgYyaEkT91QW9ys1a1bVA==
Received: from [127.0.0.1] by nm37.bullet.mail.ne1.yahoo.com with NNFMP; 21 Dec 2016 12:45:27 -0000
Received: from [98.138.100.116] by nm37.bullet.mail.ne1.yahoo.com with NNFMP; 21 Dec 2016 12:42:35 -0000
Received: from [212.82.98.126] by tm107.bullet.mail.ne1.yahoo.com with NNFMP; 21 Dec 2016 12:41:50 -0000
Received: from [212.82.98.71] by tm19.bullet.mail.ir2.yahoo.com with NNFMP; 21 Dec 2016 12:41:49 -0000
Received: from [127.0.0.1] by omp1008.mail.ir2.yahoo.com with NNFMP; 21 Dec 2016 12:41:49 -0000
X-Yahoo-Newman-Property: ymail-4
X-Yahoo-Newman-Id: 891473.95438.bm@omp1008.mail.ir2.yahoo.com
X-YMail-OSG: 6wG61IYVM1me2fESzDfX.i9IfCH2DJCpOavDgDDHWv_p473KFt4EmFS1eDZS2c0
 QhcoEerASyHL_J82aopNY9Voy0K5bU5OHDqS9SovrESgRSgnfDrhWwAOvp2_o_q.7nJIGta8qcwj
 LdoBNqf2TND53SP.Gprufpha0tgwEoErdt9pE7GucZJG1Hrg9Q2wcOibw8n.gMhiT2uh_HbbmRAU
 UMDGaxG7g_SxgwQ91WcxQNyzmn2gZrcRoFu3Z.P7BQ7OYQ1NyYgDs4KckrzRcKfyBIXES4hDJ5w_
 mM1wDizekMTJSwQoorpevq.ab_0N5ufmIVD4JYzrecAJV6GAX826kGYn9nWC5n.T_zx9_23CczL7
 mQGcD5fZD8XPKo5Amp447F1GhSUNbkEkUj5XK5ePmqrovDwwa93oyqpoyg8oHH7hRWUPP6GUt5vK
 jdWUVqCiGFUUCiLd8ZZ4K2BTlFCDQKIXHMZkGm8o2su13KxpcUne1NYK1Or1_DiEb2CMTzGz2KFM
 JE9XpKqc41pXpibc-
Received: from jws700066.mail.ir2.yahoo.com by sendmailws102.mail.ir2.yahoo.com; Wed, 21 Dec 2016 12:41:49 +0000; 1482324109.420
Date: Wed, 21 Dec 2016 12:41:49 +0000 (UTC)
From: Me <yahooaddress@yahoo.co.uk>
Reply-To: Me <yahooaddress@yahoo.co.uk>
To: Me <me@timothydutton.co.uk>
Message-ID: <559991842.460224.1482324109236@mail.yahoo.com>
Subject: forward to blueyonder
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_460223_542602391.1482324109236"
References: <559991842.460224.1482324109236.ref@mail.yahoo.com>
Content-Length: 609

------=_Part_460223_542602391.1482324109236
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Testing forwarding with footer turned on
------=_Part_460223_542602391.1482324109236
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, Sans-Serif;font-size:16px"><div id="yui_3_16_0_ym19_1_1482322499750_6362">Testing forwarding with footer turned on</div></div></body></html>
------=_Part_460223_542602391.1482324109236--

I note the following:

 

1.  The routing means the Append Footer option is not added to this particular mail.
2.  Although Google is in effect still forwarding the mail onwards it doesn't rewrite the sender address

Return-Path: <yahooaddress@yahoo.co.uk>

This means that when Virgin Media does it's validation checks this mail actually fails SPF

Received: from mail-it0-f69.google.com ([209.85.214.69])
	by mx4.tb.ukmail.iss.as9143.net with bizsmtp

Note Virgin receive it from Google and not Yahoo.
However it passes DMARC because DKIM validation overrules the SPF result, and that is still done against the From: address using the DKIM header added by Yahoo when the mail was first sent.

Now Google are quick to blame Yahoo for this issue - to quote the agent I spoke to - "Yahoo's reject policy is a bit harsh."  However the whole point of DMARC is that Domain owners are free to choose their own policy - If Google wasn't appending the footer to forwarded mail then Yahoo's reject policy would not be an issue.

The agent also said that append footer appends the footer to all mails going out from my domain.  But here's a question.  If a company sends an email then it's only right that if they choose to have a footer that it appears when a mail is sent DIRECTLY FROM their company.  BUT - if one of their workers has opted to forward inbound mail to a home address, is it appropriate that my company's footer appears on an email that we did not originally send?

Ravenstar68

________________________________________


Only use Helpful answer if your problems been solved.