Solved Autoresponder and DMARC

J

jigster

Verified User
Joined
Jul 23, 2021
Messages
93
When an autoresponder/out-of-office reply is sent (with DirectAdmin Vacation or with a sieve rule in Roundcube), DMARC fails. Even with the solution posted here, DMARC still fails because the header-from domain is that of the actual user but DKIM/SPF both use the server hostname, so DMARC fails due to alignment. Anyone know of a way to fix this so DMARC alignment passes? Thanks
 
Last edited:
Yes, and both pass. It's the alignment that's causing the problem because the header-from domain is different to the SPF/DKIM domain. Unless DMARC is set to 'none' all the big providers bounce the messages due to the failure.
 
Yes that is a problem as you can have multiple SPF and DKIM records for a domain but only 1 DMARC record.

However, I was thinking, if you include the servers hostname in SPF and then add the DKIM record for the hostname in your domain DNS, then in fact DMARC shouldn't have any reason to complaint anymore, right?

Because in that case both SPF and DKIM are valid. It's worth a try.
 
Thanks a lot, but I'm not sure that would work because the header-from has to match the domain used for SPF (from the envelope-sender) or DKIM, both of which are the server hostname. I think the only options are:

Change the autoresponder's header-from to use the server hostname so it matches the SPF/DKIM domain. I tried this approach and it works, but means the autoreply comes from [email protected] which is undesirable as the sender won't know who the auto-reply is from.

Change the envelope-from to use the user's domain so the SPF domain will 'align' with the header-from domain, therefore passing the DMARC alignment checks. To work for all scenarios (DA Vacation and Roundcube sieve rules), maybe there's a way to write a custom rule in Exim to somehow trigger the same SRS rewrite that happens with email forwarding, which changes the envelope-from address so that SPF passes.
 
How does everyone else handle autoresponders and DMARC? Not use DMARC quarantine/reject and set the DMARC policy to 'none' instead? Not use DMARC at all? Or just not worry about a lot of autoresponders bouncing? Thanks - just trying to gauge the best approach. We've come from cPanel where autoresponders worked without bounces, so we're getting some complaints.
 
Richard G said:
Do you use autoresponders too? So yes this can work, but then DMARC is not working anyway.
Click to expand...
Yes that seems to be a major issue with DMARC - with it set to 'p=none' autoresponders work without bounces, but then DMARC is essentially doing nothing other than notifications. With DMARC set to quarantine or reject, autoresponders bounce or go to spam. Catch 22!
 
Clients use the vacation thing, first they would not deliver to Google, but after setting this they did (and keep doing).
 
Active8 said:
Yes its because of the p=none; thing, which make your DMARC useless :)
This worked for me for vacation messages setup by roundcube with an strict DMARC
Click to expand...
That solution didn't work for me because it sets the envelope-sender to [email protected] (the sieve script owner) which still doesn't match the user's domain which is what is in the header-from of the autoresponder and what needs to match for DMARC to pass alignment checks. Strange that it worked for you @Active8, I wonder why?
 
Yes I've got those, and both SPF and DKIM pass when an autoresponder is sent, so that's all working correctly.

What doesn't pass is the DMARC alignment check which needs either the SPF or DKIM to be using the user domain (not the server hostname) so one of them matches the 'From:' header. Without either SPF or DKIM domains matching the domain in the 'From:' header, DMARC fails.

@Active8, if your autoresponders pass DMARC, I wonder what is being set in the header-from of your autoresponder, what is being set as the envelope-from, and what domain is being used for SPF and DKIM? Are they all the same domain, or are some the server and some the user domain?
 
jigster said:
Even with the solution posted here,
Click to expand...
This did not work for us as it is only for Sieve.

You should check this:

Configure DKIM for host.domain.com email addresses

Hi Brent. Yes, I have my email address set for root as you described. Were you going to suggest that I temporarily stick an external address in there (like a gmail or icloud address) so I can check for DKIM signatures when the server emails me? I'll try that. :) Update: There is no DKIM...
forum.directadmin.com forum.directadmin.com

Works for us for vacation/autoresponders as well as sieve auto reply's you just change your DKIM exim file and then exim aligns dkim normally and dmarc also works
 
Stije said:
This did not work for us as it is only for Sieve.

You should check this:

Configure DKIM for host.domain.com email addresses

Hi Brent. Yes, I have my email address set for root as you described. Were you going to suggest that I temporarily stick an external address in there (like a gmail or icloud address) so I can check for DKIM signatures when the server emails me? I'll try that. :) Update: There is no DKIM...
forum.directadmin.com forum.directadmin.com

Works for us for vacation/autoresponders as well as sieve auto reply's you just change your DKIM exim file and then exim aligns dkim normally and dmarc also works
Click to expand...
Thanks @Stije, I will try it next week and see if it works for us.
 
The solution posted above by @Stije worked for us and now autoresponders are correctly passing DMARC. Thanks a million @Stije - it was driving me nuts for days!
 
Yes, here's what I did:

Code: 
mkdir -p /usr/local/directadmin/custombuild/custom/exim;
cp /usr/local/directadmin/custombuild/configure/exim/exim.dkim.conf /usr/local/directadmin/custombuild/custom/exim/;

Then edit /usr/local/directadmin/custombuild/custom/exim/exim.dkim.conf to replace the dkim_domain section with the custom code.

Rebuild Exim config:
Code: 
cd /usr/local/directadmin/custombuild; ./build update; ./build exim_conf

And finally check /etc/exim.dkim.conf to ensure the changes are there.
 
Unfortunately it's not working for me. Today I got a load of messages about mail being spam because key is not found, I will report in the thread which was liked to.
 
Last edited:
You must log in or register to reply here.
Back
Top