dkim-ops
[Top] [All Lists]

[dkim-ops] Google rejecting forwarded facebook mails based on DKIM

2011-09-06 12:31:50
Hello,

Many people, including myself, have been receiving the following reject
message from Google when a message from @facebookmail.com is sent to a
user here at @uwo.ca who is forwarding their mail to @alumni.uwo.ca,
which is a Google-hosted domain:

550 5.7.1 Unauthenticated email is not accepted from this domain.
u45si20503609yhu.120

We have opened a corporate support ticket with Google and got the
following answer:

Thank you for your message. I understand that some emails forwarded 
from facebook are being rejected. You might want to set up DKIM 
authentication for your domain to resolve this issue. More details 
about this are available at the link below:

http://www.google.com/support/a/bin/answer.py?answer=174124 Please 
let me know if you have any additional questions about this case.


Since the message that is being forwarded is already DKIM signed by
facebookmail.com, and we are simply forwarding it without applying our
own DKIM signature, nor modifying the body or any of the signed headers,
I asked for clarification as to why we would need to enable DKIM signing
in order to forward mail that is already signed.

Their reply was:

Thanks for providing additional details. We accept only DKIM
authenticated emails from facebook. Somehow it looks like when your
mail server forwards the message to us some portion of the header is
getting modified. The recipient address changes and there might be
few other sections of the original header that get modified. I did
little more investigation and noticed that we are able to receive
emails from facebook as long as it is properly authenticated.

You might want to enable DKIM for your domain in CPanel and see if
that helps in resolving the issue. Otherwise the other option might
be to directly send the emails to Google rather than forwarding.

Please let me know if you have any additional questions about this
case.


Again, I'm confused, but I'm not too familiar with DKIM. Of course we're 
modifying the recipient address since we're forwarding the message. But 
we only modify the envelope mail from and rcpt to addresses, not the 
 From or To headers.

Since we're not modifying any of the signed headers, nor the body of the 
message, why would Google be rejecting the message for not being 
authenticated?

Before I replied to Google again, I wanted to get a better understanding 
of what's going on. Am I correct in my understanding of how this should 
be working? Please let me know if you need more details.

Thanks,
Andrew


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>