Kerio Connect DSN breaks DMARC
At Help protect your mail domain with DMARC I explained how to implement DMARC with Kerio Connect. I had set up my server that way and was monitoring the results, hoping that I could change the DMARC policy from "quarantine" to "reject".
However, I noticed that something was slipping through without SPF or DKIM. The mail was coming from my IP address, but it was saying it came from "mail.aplawrence.com", which is incorrect. My first thought was that I had some old cron job or script misconfigured, but it wasn't that.
Hunting more deeply, I found that the problem was DSN's (Delivery Status Notifications). If someone sends email to a non-existent address at aplawrence.com, a DSN would be generated, but it comes from "email@example.com". It picks that up from the Internet Hostname and there is no other place to override that. As "mail.aplawrence.com" doesn't exist as a mail domain (it's my MX, but my domain is "aplawrence.com"), SPF fails and also no DKIM is added.
I'd call that improper behavior. RFC 1894 seems to address this:
I would think that the DSN should be from the postmaster at the domain that the incorrect mail was sent to. The Internet Host name is not a domain; it's a host and shouldn't be used as a mail domain.
I raised a ticket with Kerio. Their suggestion was to set the Internet Hostname and MX to "aplawrence.com", but that would break my web site as that sits at a different IP. I could use another domain entirely, but that is annoying and wasteful.
For the moment, I have to leave my DMARC policy set to "quarantine".
Got something to add? Send me email.
(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version
Increase ad revenue 50-250% with Ezoic
Inexpensive and informative Apple related e-books:
El Capitan: A Take Control Crash Course
Take Control of OS X Server
Take Control of the Mac Command Line with Terminal, Second Edition
Take Control of Your Apple Wi-Fi Network
Take Control of Numbers