ARC ? | MDaemon Technologies, Ltd.

ARC ?


  • I have ARC enabled.  Default Selector is set as is Default Signing Domain.  Do I need to add my domain as a Trusted ARC Sealer?  With all this set will there be header changes made to help with receiving mail servers recognize and trust my Listserv mail?  I am not seeing any ARC info in headers for returning group mail and 'am curious if there should be.

    Edited: 7/7/2024

    I set up a test group and sent a post to a gmail account.  The source file does show ARC information. Below shows DKIM and DMARC passing, however, SPF=None.  My SPF entry passes with mxtoolbox and other spf checkers.  I have looked up the message "mail.domain.com does not designate permitted sender hosts," but the answers are confusing.  There is only one mail host and both the host and the ip4 are listed in the SPF record in DNS.  Any thoughts as to why this occurs?

    ARC-Authentication-Results: i=1; mx.google.com;
    dkim=pass header.i=@domain.com header.s=MDaemon header.b=zd5IF1aY;
    spf=none (google.com: mail.domain.com does not designate permitted sender hosts) smtp.helo=mail.domain.com;
    dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=domain.com

    Thanks,

    Jay  



  • Do I need to add my domain as a Trusted ARC Sealer? 

    No. You need to list all the external domains that you want to trust ARC Results from.  If a message contains ARC results from a domain that is not in your list of Trusted ARC Sealers, then the ARC results will be ignored.

    With all this set will there be header changes made to help with receiving mail servers recognize and trust my Listserv mail? 

    Potentially, but the receiving servers must trust the ARC results added by your server.

    I am not seeing any ARC info in headers for returning group mail and 'am curious if there should be.

    That depends. Forwarded messages, mailing list messages, and gateway messages with authentication results are eligible for ARC signing.  

    If you create a mailing list in MDaemon, add a couple of members with external addresses, for example user@gmail.com.  Then send a message from user@gmail.com to the list.  Freeze your remote queue.  Open the list message in the Remote Queue with a text editor.  You should see ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal headers added to the top of the message.

    You can also check the ARC log to see ARC signing and verification results.

    Do you have an SPF record setup in DNS for mail.domain.com?  I believe its showing none because your SPF record is for domain.com.  Try adding an SPF record for mail.domain.com.


  • @ArronSPF record in DNS:  v=spf1 a:mail.domain.com ip4:x.x.x.x -all.

    So, when I send from the test Gmail account and look at the entry in the Remote Q, here are the results:

    ARC-Authentication-Results: i=1; mail.domain.com;
     spf=pass smtp.mailfrom=_spf.google.com;
     dkim=pass (good signature) header.d=gmail.com header.b=muZDwfdUhK;
     dmarc=pass header.from=gmail.com (p=none sampling=44 pct=100)

    After unfreezing the Q, the source of that e-mail in the Gmail account shows:

    Authentication-Results: mx.google.com;
    dkim=pass header.i=@domain.com header.s=MDaemon header.b="v2I/JOJ9";
    arc=fail (signature failed);
    spf=none (google.com: mail.domain.com does not designate permitted sender hosts) smtp.helo=mail.domain.com;
    dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com


    Sending to the test group from my MDaemon account and looking at the source in the Gmail account shows:

    ARC-Authentication-Results: i=1; mx.google.com;
    dkim=pass header.i=@domain.com header.s=MDaemon header.b="Cgt/eaZh";
    spf=none (google.com: mail.domain.com does not designate permitted sender hosts) smtp.helo=mail.domain.com;
    dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=domain.com

    When the gmail account received back the post it sent to test@domain.com Gmail asked to tag as SPAM or Accept. Now I am completely confused.

    However, the post from my MDaemon account went straight through to the gmail account without the Gmail Flag.

    Thanks,

    Jay


  • Is your SPF record setup in DNS for mail.domain.com and domain.com?  In addition to an SPF record being checked for domain.com, SPF can be checked for the EHLO value being passed during the SMTP session.  


  • I added the following and still getting the same ARC and DMARC failure in the returned gmail post.  My host name is mail.domain.com as is my EHLO.  I tried changing the end to _spf.mail.domain.com ~all and that did not make a difference.

    v=spf1 ip4:x.x.x.x include:domain.com include:mail.domain.com include:_spf.google.com include:%{i}._ip.%{h}._ehlo.%{d}._spf.domain.com ~all

     


  • In MDaemon what do you have set for the method to canonicalize headers?  (Security / Security Manager / Sender Authentication / DKIM Settings)

    If you change the header method to Relaxed and send another test, does the ARC signature verify?


  • @ArronChanging headers to Relaxed shows the following gmail source info:

    ARC-Authentication-Results: i=2; mx.google.com;
    dkim=pass header.i=@domain.com header.s=MDaemon header.b=fjdlKVrX;
    arc=pass (i=1 spf=pass spfdomain=_spf.google.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
    spf=none (google.com: mail.domain.com does not designate permitted sender hosts) smtp.helo=mail.domain.com;
    dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

    The only change is ARC now passes. Why would DMARC be in alignment when I send from my MDaemon e-mail, but fail when sent from a Gmail account?

     

    Edited:  This is from a test post from my MDaemon account to a newly added hotmail member.

    Received-SPF: Pass (protection.outlook.com: domain of mail.domain.com designates x.x.x.x as permitted sender)

    Note above the SPF line, google.com: mail.domain.com does not designate permitted sender hosts.  This e-mail was sent from the gmail account and returned to the gmail account via mail.domain.com.

    If I send from my MDaemon account to gmail I get the same results as from hotmail where everything passes with no SPAM warning.

    It's as if when sending to the group from hotmail or gmail something is being changed which neither system likes and makes SPF=None and DMARC fail?  The only difference I have found is the difference in, "designate permitted sender hosts."  Hopefully, this offers a clue as to what is occurring.

    Thanks again for helping with this, Arron

     

     


  • Why would DMARC be in alignment when I send from my MDaemon e-mail, but fail when sent from a Gmail account?

    DMARC should not be aligned.  

    When Gmail receives a copy of the message back from your MDaemon, the FROM header still has gmail.com in it.  In order to be DMARC aligned the message would need a valid DKIM signature from gmail.com or the message would have had to pass SPF for gmail.com.  Since the MAIL FROM value is not gmail.com it could not have passed SPF (if the MAIL FROM value was gmail.com it would fail SPF).  In addition, when processing list mail, MDaemon (and every other list server) makes changes to the message that break the existing DKIM signatures.  This means that DMARC can no longer be aligned.

    This is what ARC is supposed to help with.  Since ARC is passing, Gmail can choose to trust the ARC signature from your MDaemon, since it was aligned when the ARC signature was added, and ignore the fact that DMARC is no longer aligned.  They can also choose to ignore the ARC signature, which is what appears to be occurring.  

    spf=none (google.com: mail.domain.com does not designate permitted sender hosts) smtp.helo=mail.domain.com;

    Its not clear to me if you have added an SPF record for mail.domain.com.  Have you added the record to your DNS?  Adding an include to your existing record for domain.com is not what is needed.  Adding a record for mail.domain.com similar to the following should address the SPF issue:

     


  • @Arron Yes, I have two DNS records for SPF, one for domain.com - v=spf1 include:_spf.google.com ~all and one for mail.domain.com - v=spf1 ip4:x.x.x.x -all

    I also sent a test post to a group from a gmail account and asked both gmail and hotmail users if they received a SPAM warning or if the post went directly to the SPAM folder.  All of them received without warning and all went directly to their inbox.  I had one of them send me the source for my post and it's the same as I get when I send from Gmail or Hotmail, DKIM=Pass, ARC=Pass, SPF=None and DMARC=Fail.  However, I get a SPAM warning in Gmail and in Hotmail the post goes directly into the SPAM folder.  I did go into Gmail's Postmaster tools and it shows a red box for SPF and DKIM but does not specify what the problem is.  Not sure why they are flagging DKIM because it always passes and since you had me change the headers to relaxed ARC always passes. I think since I appear to be the only one seeing this behavior I will just leave things as is, unless there is anything else you can think of that could make a difference.

    Much appreciation for sticking with me on this one, Arron.

    Jay


  • If the record was recently added for mail.domain.com, gmail may be using cached data. 


  • @Arron Yes, I added the SPF record for mail.domain.com after you recommended it.


Please login to reply this topic!