Hey everyone, Thanks for the quick responses! This is super helpful.
It seems there is some debate over whether forwarders should sign DKIM or not for forwarded email. Kind of a question on if we want to take "ownership" of this email. But regardless, there definitely exists a problem with INKY mail filter software, where they rewrite the contents in a way that breaks DKIM, and causes gmail to mark these messages as spam. So we're not really at fault for that. I'll work with our customer to try to work with INKY. Best, Matthew Tse CEO @ ImprovMX <http://improvmx.com> On Thu, May 15, 2025 at 7:09 AM Laura Atkins <[email protected]> wrote: > > > On 15 May 2025, at 06:36, Matthew Tse via mailop <[email protected]> > wrote: > > Hey Mailops! > > I'm new to the email forwarding community, having taken over ImprovMX > <https://improvmx.com/> a few months ago. This is my first message to the > mailing group (I've been very curiously lurking for months)! > > I'm looking for advice regarding DKIM signing. So it turns out ImprovMX > re-signs all forwarded emails with our own DKIM signature, which from my > research might not be standard (documentation suggests that mail forwarders > add ARC headers, but NOT re-sign using DKIM). > > > Resigning is a statement that you are taking responsibility for the mail. > I’m not sure that’s what you mean to do. It also means you break DMARC > alignment using DKIM and that will cause your final recipients to lose mail > when the senders designate p=reject (or possibly quarantine). > > This is not a problem for most of our users, but some have been > complaining that when ImprovMX forwards emails to a destination guarded by > email phishing protection software like Inky > <https://www.inky.com/products>, they rewrite the body, and that breaks > DKIM and the emails often end up in spam. > > > This is actually a separate issue. If the destination is rewriting the > messages before they check DKIM, it doesn’t matter if you resign or not - > the mail will still fail DKIM. Is it possible that the problem is actually > that resigning the mail is breaking DMARC and therefore the messages are > going to spam? > > Is my thinking correct--that we should stop DKIM signing forwarded emails, > and rely on ARC? Also let me know if this is not the right place or type of > question to ask here! > > > Part of the original DKIM intention was to be able to authenticate mail in > a way that would survive forwarding. I’m not sure what made the ImprovMX > folks decide resigning was the right decision, but I don’t think it was > necessarily the right one. While ARC isn’t in widespread deployment, it’s > probably worth leaving the original DKIM signature intact and resigning > with ARC. If nothing else, it will distinguish between what your users are > telling you (Inky is rewriting and causing mail to go to spam) and what > might be the case (Inky is respecting DMARC p=reject and rejecting messages > that fail due to you resigning DKIM with your own domain. > > laura > > -- > The Delivery Expert > > Laura Atkins > Word to the Wise > [email protected] > > Delivery hints and commentary: http://wordtothewise.com/blog > > > > > > >
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
