What can I do about discussion messages being undelivered because of DKIM / DMARC failures?

In order to reduce spam and fraudulent emails, many organisations have implemented new standards such as DKIM and DMARC. However, these standards cause problems with traditional group mailing lists, such as Jiglu's discussion messages. Here's an explanation of the problem and what you need to do to minimise the issue.

The problem

Traditional group mailing lists work by sending out email on behalf of the users who sent them in. Both the email coming in and the email going out to all the members might have a From: header like:

From: John Smith <(Address removed)>

Unfortunately though, spammers, phishers and other senders of fraudulent email have increasingly abused the feature that allows any mail server to send out an email on behalf of someone else. To try and stop this, four standards have emerged over the past few years:

  • SPF helps ensure that the address a message says it came from on its envelope matches those servers that are permitted to send out mail from that domain.
  • DKIM provides a cryptographic signature on emails which mail servers and spam filtering services can use to check that the message has not been tampered with according to the domain it was sent from.
  • DMARC builds on SPF and DKIM to tell receivers of mail what they should do if a message does not pass the SPF and DKIM checks, so users can know that the From address they see did definitely send the message.
  • ARC provides a way for servers relaying mail to confirm that when the message arrived it passed the necessary SPF and DKIM checks.

DKIM and DMARC though cause problems with group mailing lists:

  • Because the mailing list is forwarding on messages, the checks that a message came from the domain it said it was from will fail.
  • Because the mailing list will make changes to messages, such as adding a subject identifier and footer, the checks that a message has not been tampered with will fail.

The ARC standard can help with this, but relies on recipient mail servers accepting that the relaying mail server is reliable. It is also no use for a system like Jiglu where users can contribute messages via the web site rather than just sending them in by email.

DMARC also allows a choice between whether a recipient mail server should reject a message that fails, usually resulting in a non-delivery notification, or should be quarantined, normally by putting the message in a spam / junk mail folder. If a domain is configured to reject and non-delivery notifications arrive in Jiglu for every recipient whose email system supports DMARC then this will increase those users' bounce scores and eventually result in their email being deactivated.

The solution choices

The solutions to this problem will depend on the kind of users that you have:

  1. If all the users come from one domain or a small number of domains that are under your control then you can whitelist the domain used for Jiglu or configure SPF and DKIM so messages from Jiglu pass.
  2. If the users come from multiple domains that are not under your control then you will need to enable From: header replacement.

Users from domains under your control

When all the users in Jiglu are from domains under your control then the problem is much cleaner to deal with.

If the mail system or systems used by those domains support whitelisting of sender domains then this is often the quickest solution to ensure mail gets through. A better and more secure solution, however, is to configure SPF and DKIM DNS records to incorporate Jiglu.

The SPF DNS records for the domains used by users should include the IP address of the mail server used by Jiglu as a valid sender. The DKIM DNS record used by Jiglu should be added not just for the Jiglu domain but also for the domains used by users and Jiglu configured to sign for users from those domains. For more on configuring Jiglu to use DKIM see this guide.

Users from domains not under your control

When users come from multiple domains not under your control then instead it will be necessary to replace the From: address of those domains with one on the Jiglu server. For our example address earlier, instead of a discussion message being sent out as

From: John Smith <(Address removed)>

It will be sent as

From: John Smith <john*(Address removed)>

This ensure that the domain and signature match what is expected when the DKIM signature and DMARC policy are checked. Note that this only applies to live discussion messages. The replacement will not happen for discussion message digests, newsletters or other email from Jiglu.

If someone replies to the changed address then their email will be forwarded on as-is by Jiglu.

Changing addresses

You can enable From: address replacement for all groups by going to System settings -> Group defaults -> Email processing and changing the 'Replace external From: address' setting. This has four options:

  • Never: Email addresses are never replaced.
  • When DMARC policy of Quarantine or Reject: Email addresses are replaced if the sender's domain has a DMARC policy of Quarantine or Reject.
  • When DMARC policy of Reject: Email addresses are replaced if the sender's domain has a DMARC policy of Reject. This is the default for new installations.
  • Always: Email addresses are always replaced.

The setting can also be changed for individual groups, for the case where you have some groups that are internal only and some that are a mixture, by going to Group settings -> Email processing.

Written by Stephen Hebditch. Published on .
Why messages from Jiglu sometimes get blocked by domains and how you can configure the system to minimise this happening.