At Help protect your mail domain with DMARC I explained how to implement DMARC with Kerio Connect. I had set up my server that way and was monitoring the results, hoping that I could change the DMARC policy from "quarantine" to "reject".
However, I noticed that something was slipping through without SPF or DKIM. The mail was coming from my IP address, but it was saying it came from "mail.aplawrence.com", which is incorrect. My first thought was that I had some old cron job or script misconfigured, but it wasn't that.
Hunting more deeply, I found that the problem was DSN's (Delivery Status Notifications). If someone sends email to a non-existent address at aplawrence.com, a DSN would be generated, but it comes from "[email protected]". It picks that up from the Internet Hostname and there is no other place to override that. As "mail.aplawrence.com" doesn't exist as a mail domain (it's my MX, but my domain is "aplawrence.com"), SPF fails and also no DKIM is added.
I'd call that improper behavior. RFC 1894 seems to address this:
The From field of the message header of the DSN SHOULD contain the
address of a human who is responsible for maintaining the mail system
at the Reporting MTA site (e.g. Postmaster), so that a reply to the
DSN will reach that person. Exception: if a DSN is translated from a
foreign delivery report, and the gateway performing the translation
cannot determine the appropriate address, the From field of the DSN
MAY be the address of a human who is responsible for maintaining the
The envelope sender address of the DSN SHOULD be chosen to ensure
that no delivery status reports will be issued in response to the DSN
itself, and MUST be chosen so that DSNs will not generate mail loops.
Whenever an SMTP transaction is used to send a DSN, the MAIL FROM
command MUST use a NULL return address, i.e. "MAIL FROM:<>".
I would think that the DSN should be from the postmaster at the domain that the incorrect mail was sent to. The Internet Host name is not a domain; it's a host and shouldn't be used as a mail domain.
I raised a ticket with Kerio. Their suggestion was to set the Internet Hostname and MX to "aplawrence.com", but that would break my web site as that sits at a different IP. I could use another domain entirely, but that is annoying and wasteful.
For the moment, I have to leave my DMARC policy set to "quarantine".
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Anthony Lawrence
Find me on Google+
© 2015-01-20 Anthony Lawrence