I have SPF, DKIM and DKIM configured on my small system and everything generally works fine.  I am using Exchange on-premise and my outbound email is sent via a smart host.

Recently, I have needed to forward mail for one user to the user's gmail address.  The only way I have been able to do that is to have Exchange forward the email to me, and then have an Outlook rule forward the email (since gmail won't allow the emails forwarded from Exchange).

This setup appears to generate DMARC failures from google.com.  I get responses from them that show as DKIM failures from the smart host's IP address.  I have my DKIM set up according to the instructions for Xeams, so I'm not sure how to proceed with this.  The response I get back from google contains:

Any ideas on how I should proceed?

Thanks

Anthony,

Before answering this question, I want to explain why this is happening. Assume the following flow of events:

• Someone with a Yahoo address sends an email to auser@yourdomain.com
• This user has configured their Outlook to forward emails to auser@gmail.com
• Your Exchange forwards the message without changing the sender's address. In other words, the email goes out from originalSender@yahoo.com and the recipient is aUser@gmail.com
• When Gmail gets it, they see an email from Yahoo from your IP, which is not authorized. This results in an SPF failure
• Moreover, Exchange has also changed the message slightly, making DKIM fail. Perhaps the subject was modified with a "FW:" prefix.

There are two solutions to this problem:

Solution 1: Configure your Outlook to add a Sender header with the local address. The FROM header contains the sender's email address when emails are sent out. In addition to this FROM header, you must add a "Sender" header. The final headers should look like:

From: originalSender@yahoo.com
Sender: auser@yourdomain.com
Subject: Original Subject without modification

When Xeams sees the sender header, it uses that value in the MAIL FROM field during SMTP communication; therefore, SPF will pass. Ensure the original body and subject is not modified to keep DKIM intact.

Solution 2: Use Xeams instead of Exchange to do the actual forwarding. Go to Server Configuration/Manage Distribution List. Create a new list with auser@yourdomain.com as the List Address and put "self,auser@gmail.com" in the Forward To field. Notice the word "self", which will ensure that the original message is sent to yourdomain as well as the gmail.com address.

Xeams will automatically change the MAIL FROM value in the SMTP Communication to an appropriate value so that SPF won't fail. Moreover, the original message will not be modified, leaving DKIM intact. Therefore, when Google gets it, both SPF and DKIM will align.

Note that this solution will cost you an extra user license in Xeams because you're eventually filtering email for a Gmail account.

Thanks for the detailed response. 

In my case, Exchange is simply forwarding messages to auser@mydomain.com to me@mydomain.com.  I had previously tried having it forward from auser@mydomain.com to auser@gmail.com, and that simply failed.   Now when me@mydomain.com receives those messages in Outlook, a rule runs to forward to auser@gmail.com.

I will try option #2 and see if that works.  Not sure how to achieve option #1

Thanks again.

So, I tried Option 2 and the messages don't send.  When I retry them from the Outbound Queue, I get:

Error: Final recipient: auser@gmail.com - Invalid Addresses - 554 5.7.1 <auser@gmail.com>: Recipient address rejected: Rejected - not allowed to send mail from this domain