At Help protect your mail domain with DMARC I explained how to implement DMARC with Kerio Connect. I had set up my server that way and was monitoring the results, hoping that I could change the DMARC policy from "quarantine" to "reject".
However, I noticed that something was slipping through without SPF or DKIM. The mail was coming from my IP address, but it was saying it came from "mail.aplawrence.com", which is incorrect. My first thought was that I had some old cron job or script misconfigured, but it wasn't that.
Hunting more deeply, I found that the problem was DSN's (Delivery Status Notifications). If someone sends email to a non-existent address at aplawrence.com, a DSN would be generated, but it comes from "[email protected]". It picks that up from the Internet Hostname and there is no other place to override that. As "mail.aplawrence.com" doesn't exist as a mail domain (it's my MX, but my domain is "aplawrence.com"), SPF fails and also no DKIM is added.
I'd call that improper behavior. RFC 1894 seems to address this:
I would think that the DSN should be from the postmaster at the domain that the incorrect mail was sent to. The Internet Host name is not a domain; it's a host and shouldn't be used as a mail domain.
I raised a ticket with Kerio. Their suggestion was to set the Internet Hostname and MX to "aplawrence.com", but that would break my web site as that sits at a different IP. I could use another domain entirely, but that is annoying and wasteful.
For the moment, I have to leave my DMARC policy set to "quarantine".
If you found something useful today, please consider a small donation.
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2015-01-20 Anthony Lawrence
What happens then? Is there a ticker tape parade and heartfelt thanks from the computer it has reached? No, my friends, there is not. The poor packet is immediately gutted, stripped of its protective layers and tossed into the hungry maw of whatever application (mail, a webserver, whatever) it belongs to. (Tony Lawrence)