> On 17 May 2025, at 02:37, Matthew Tse <[email protected]> wrote: > > Hey everyone, > > Thanks for the quick responses! This is super helpful. > > It seems there is some debate over whether forwarders should sign DKIM or not > for forwarded email. Kind of a question on if we want to take "ownership" of > this email.
Exactly. Another thing to consider is what you’re forwarding. If the mail you’re signing is spam (and reported a spam by the final recipient) that’s going to be a hit to your domain reputation and will affect deliverability for all your customers. If your filters are good you shouldn’t be forwarding spam. But no filters are 100% accurate. Depending on volumes of legit vs. spam you might be acquiring yourself a poor reputation by forwarding spam. > But regardless, there definitely exists a problem with INKY mail filter > software, where they rewrite the contents in a way that breaks DKIM, and > causes gmail to mark these messages as spam. So we're not really at fault for > that. I'll work with our customer to try to work with INKY. So you’re forwarding to INKY who is breaking the signature and then forwarding to Gmail? laura > > Best, > Matthew Tse > CEO @ ImprovMX <http://improvmx.com/> > > On Thu, May 15, 2025 at 7:09 AM Laura Atkins <[email protected] > <mailto:[email protected]>> wrote: >> >> >>> On 15 May 2025, at 06:36, Matthew Tse via mailop <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hey Mailops! >>> >>> I'm new to the email forwarding community, having taken over ImprovMX >>> <https://improvmx.com/> a few months ago. This is my first message to the >>> mailing group (I've been very curiously lurking for months)! >>> >>> I'm looking for advice regarding DKIM signing. So it turns out ImprovMX >>> re-signs all forwarded emails with our own DKIM signature, which from my >>> research might not be standard (documentation suggests that mail forwarders >>> add ARC headers, but NOT re-sign using DKIM). >> >> Resigning is a statement that you are taking responsibility for the mail. >> I’m not sure that’s what you mean to do. It also means you break DMARC >> alignment using DKIM and that will cause your final recipients to lose mail >> when the senders designate p=reject (or possibly quarantine). >> >>> This is not a problem for most of our users, but some have been complaining >>> that when ImprovMX forwards emails to a destination guarded by email >>> phishing protection software like Inky <https://www.inky.com/products>, >>> they rewrite the body, and that breaks DKIM and the emails often end up in >>> spam. >> >> This is actually a separate issue. If the destination is rewriting the >> messages before they check DKIM, it doesn’t matter if you resign or not - >> the mail will still fail DKIM. Is it possible that the problem is actually >> that resigning the mail is breaking DMARC and therefore the messages are >> going to spam? >> >>> Is my thinking correct--that we should stop DKIM signing forwarded emails, >>> and rely on ARC? Also let me know if this is not the right place or type of >>> question to ask here! >> >> Part of the original DKIM intention was to be able to authenticate mail in a >> way that would survive forwarding. I’m not sure what made the ImprovMX folks >> decide resigning was the right decision, but I don’t think it was >> necessarily the right one. While ARC isn’t in widespread deployment, it’s >> probably worth leaving the original DKIM signature intact and resigning with >> ARC. If nothing else, it will distinguish between what your users are >> telling you (Inky is rewriting and causing mail to go to spam) and what >> might be the case (Inky is respecting DMARC p=reject and rejecting messages >> that fail due to you resigning DKIM with your own domain. >> >> laura >> >> -- >> The Delivery Expert >> >> Laura Atkins >> Word to the Wise >> [email protected] <mailto:[email protected]> >> >> Delivery hints and commentary: http://wordtothewise.com/blog >> >> >> >> >> >> -- The Delivery Expert Laura Atkins Word to the Wise [email protected] Delivery hints and commentary: http://wordtothewise.com/blog
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
