Delivery Status Notifications rejected by DMARC policy

[ijurisic]

I've got it properly set SPF,DKIM and DMARC:

• SPF record: v=spf1 mx -all
• DKIM on Proxmox gateway: DKIM Signing: Yes, Signing Domain Source: Header , Sign all Outgoing Mail: Yes
• DMARC: v=DMARC1; p=reject; pct=100; adkim=s; aspf=s; fo=1; rf=afrf; ri=86400;

When I send mail to gmail.com, all is ok. Mail is signed with PMG,SPF is ok, DMARAC is ok (strict=spf,strict=dkim).
If I send mail from gmail to a non-existent recipient on my mail server it's normal to expect bounced mail but that mail is reject by DMARC policy because it's not signed with DKIM.

My question is how to force PMG server to sign delivery status notifications?

 

[ijurisic]

Any idea how to fix this?

 

[Stoiko Ivanov]

If I send mail from gmail to a non-existent recipient on my mail server it's normal to expect bounced mail but that mail is reject by DMARC policy because it's not signed with DKIM.

bounces generated by postfix itself do not pass through the filter processing and are thus not signed by PMG.

IIRC this should not be a problem if your PMG has a dedicated hostname (which then needs to _not_ have a DMARC policy)

else if you enable receiver verification at least there should not be a bounce for a non-existing e-mailaddress (this would get rejected during the SMTP-Session directly)

I hope this helps!