Kerio Connect DSN breaks DMARC


At Help protect your mail domain with DMARC I explained how to implement DMARC with Kerio Connect. I had set up my server that way and was monitoring the results, hoping that I could change the DMARC policy from "quarantine" to "reject".

However, I noticed that something was slipping through without SPF or DKIM. The mail was coming from my IP address, but it was saying it came from "", which is incorrect. My first thought was that I had some old cron job or script misconfigured, but it wasn't that.

Hunting more deeply, I found that the problem was DSN's (Delivery Status Notifications). If someone sends email to a non-existent address at, a DSN would be generated, but it comes from "". It picks that up from the Internet Hostname and there is no other place to override that. As "" doesn't exist as a mail domain (it's my MX, but my domain is ""), SPF fails and also no DKIM is added.

I'd call that improper behavior. RFC 1894 seems to address this:

The From field of the message header of the DSN SHOULD contain the address of a human who is responsible for maintaining the mail system at the Reporting MTA site (e.g. Postmaster), so that a reply to the DSN will reach that person. Exception: if a DSN is translated from a foreign delivery report, and the gateway performing the translation cannot determine the appropriate address, the From field of the DSN MAY be the address of a human who is responsible for maintaining the gateway.

The envelope sender address of the DSN SHOULD be chosen to ensure that no delivery status reports will be issued in response to the DSN itself, and MUST be chosen so that DSNs will not generate mail loops. Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a NULL return address, i.e. "MAIL FROM:<>".

I would think that the DSN should be from the postmaster at the domain that the incorrect mail was sent to. The Internet Host name is not a domain; it's a host and shouldn't be used as a mail domain.

I raised a ticket with Kerio. Their suggestion was to set the Internet Hostname and MX to "", but that would break my web site as that sits at a different IP. I could use another domain entirely, but that is annoying and wasteful.

For the moment, I have to leave my DMARC policy set to "quarantine".

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Kerio Connect DSN breaks DMARC


Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Anthony Lawrence

Tue Jan 20 16:50:55 2015: 12601   905c)


Well, legacy stuff again.
DSN is supposed to come from server administrator. What address should be there if an email was intended for two users in two different domains? That why a generic server name is used as sending domain. Emails should be delivered there (if any because DSN have empty sender in SMTP to avoid loop) using legacy email delivery via A record (link)
It is not perfect but it works.

Tue Jan 20 16:57:35 2015: 12602   TonyLawrence


Thanks for that link. It doesn't work for DMARC!

But - now that I know these are just DSN's, I'm going to switch back to reject. A few bad typists may not know they mistyped if they don't get the reply. Minor risk.

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us