On Thu, May 15, 2025 at 05:09:41PM +0200, Marco Moock via mailop wrote: > Am 15.05.2025 um 01:36:56 Uhr schrieb Matthew Tse via mailop: > > > I'm looking for advice regarding DKIM signing. So it turns out > > ImprovMX re-signs all forwarded emails with our own DKIM signature, > > which from my research might not be standard (documentation suggests > > that mail forwarders add ARC headers, but NOT re-sign using DKIM). > > As long as the message is not being altered, the original DKIM > signature is still valid even when forwarded. > If you sign it, you have to rewrite the From: header to your own domain.
This is false. Additional DKIM signatures can be added, and need not be "aligned" with the "From:" header (any origin signature also does not need to "aligned" barring a DMARC policy to that effect). > Mail forwarding is a PITA. If you want to have working SPF, DKIM and > DMARC, you have to rewrite From: / MAIL FROM: If the message body and headers are not altered, there is no need to rewrite "From:". The envelope does need to change if SPF is also in play. On Thu, May 15, 2025 at 12:09:41PM +0100, Laura Atkins via mailop wrote: > > > On 15 May 2025, at 06:36, Matthew Tse via mailop <[email protected]> wrote: > > > > Hey Mailops! > > > > I'm new to the email forwarding community, having taken over ImprovMX > > <https://improvmx.com/> a few months ago. This is my first message to the > > mailing group (I've been very curiously lurking for months)! > > > > I'm looking for advice regarding DKIM signing. So it turns out ImprovMX > > re-signs all forwarded emails with our own DKIM signature, which from my > > research might not be standard (documentation suggests that mail forwarders > > add ARC headers, but NOT re-sign using DKIM). > > Resigning is a statement that you are taking responsibility for the > mail. WHich is fine, when forwarding, if the intent for the reputation of the forwarding domain to be imputed to the forwarded message. > I’m not sure that’s what you mean to do. It also means you break > DMARC alignment using DKIM and that will cause your final recipients > to lose mail when the senders designate p=reject (or possibly > quarantine). Again, this is false. A message can have multiple DKIM signatures, and only the "origin" signature needs to be "aligned" if the content is not altered. A sensible way to forward messages is to "encapsulate" them as message/rfc822 attachments in a new message from (and signed by) the forwarding domain. From: <forwarded-envelope-recipient> To: [email protected] Subject: your forwarded message: <original subject> Date: ... ... MIME-Version: 1.0 Message-Id: <new-message-id> References: <original-message-id> <copy-of-original-references> Content-Type: message/rfc822 <original headers> <original body> The incoming recipient address whose mail is being forwarded can be the envelope sender of the new message. -- Viktor. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
