Web-generated emails not compliant with DMARC

Question

We have a classified ads website. Buyers can contact sellers. The message is directly generated on the site (php7) and sent to the user by email.

If we follow the recommandations from openspf, we have these 2 solutions:

Solution 1

Return-path: service@my-classified-ads-website.com
Sender: service@my-classified-ads-website.com
From: buyer@hotmail.com
Subject: I am interessted
To: seller@gmail.com

Solution 2

Return-Path: service@my-classified-ads-website.com
From: service@my-classified-ads-website.com
Reply-To: buyer@hotmail.com
Subject: I am interessted
To: seller@gmail.com

These work okish with spf but:

Solution 1 is simply rejected by domains having a strict DMARC policy (p=reject), for exemple yahoo.com:

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_y_rua@yahoo.com;

Solution 2 is less and less working. When replying many mobile phones (Chinese brands) and email clients do not consider Reply-To but only From. Also, for exemple Gmail displays an enormeous warning message which scares users.

Be careful with this message
This email claims to come from my-classified-ads-website.com, but replies will go
to an email address at another domain. Avoid replying to this email
unless you reach out to the sender by other means to ensure that
this email address is legitimate.

Is there a solution?

(We would like to avoid a solution like craigslist or obliging users to use an internal message solution a-la-facebook).

Literally everyone who sends mail on behalf of others does "Solution 2". If you are getting a DMARC rejection, you should look at the specific reasons why. It is probably not what you think. — Michael Hampton, Sep 13 '18 at 00:57
@MichaelHampton Unfortunately, solution 2 is working less and less. Gmail has an enormeous warning banner which scares the user and many "cheap" email clients do not consider "Reply-To". — Toto, Sep 13 '18 at 01:09
What is the return path (real) from domain that these emails are coming from? Look at the headers searching for return-path. — Neil Anuskiewicz, Sep 13 '18 at 10:18
@NeilAnuskiewicz We have this `Return-Path: service@my-classified-ads-website.com` — Toto, Sep 13 '18 at 12:45
Wow, that's a tough one. Any luck on finding alternatives? Which way are you leaning on your next step? — Neil Anuskiewicz, Sep 13 '18 at 19:23
I'm curious, would it be possible to set up a system where users could contact each other directly without your domain involved as the Return-path address? That is why can't foo@yahoo.com email bar@gmail.com directly? You're a classified site so the need to keep the communication within the site isn't necessary is it? — Neil Anuskiewicz, Sep 13 '18 at 19:28
We are a little stucked. :( Communicating with email has been fine for years, but now it is over and *users never check the spam folder on their mobile*... Hope we have not to go into that direction: https://stackoverflow.com/questions/6078885/email-forwarding-like-craigslist-rails — Toto, Sep 13 '18 at 23:54
Most use solution two or a third option where the actual email address of the seller is not exposed to the buyer (nor vice-versa) but where all communication is routed through your platform by creating unique addresses. Messages to `unique-classified-id_-_seller@classifieds.example.com` get processed, headers get stripped and the message body converted to a message from `unique-classified-id_-_buyer-id@classifieds.example.com` to `seller@gmail.com` and in the response from the seller to `unique-classified-id_-_buyer-id@classifieds.example.com` the reverse is done. — HBruijn, Oct 17 '18 at 20:37

score 2 · Answer 1 · edited Jun 11 '20 at 10:02

You want to cheat and hack email authentication systems by trying to send emails on behalf of others. Maybe this hack can work temporarily, but in the future it will be banned by mailbox providers, as phishing attacks require more and more strict policies mailbox providers need to apply.

To avoid such hacks here is a solution I would suggest. Create a unique email address for every pair of contacts and make it "mediator" for conversation between parties.

How it works

All email conversation must be done through your created email. You can set custom display names (e.g. John <123@my-classified-ads-website.com) to not confuse email receivers with your strange unique ids. So when A needs to write to B, it actually writes to your email, then you forward email to B, and vice versa for B to A.

This implementation have some complexity, but that will be paid in the future.

score 0 · Answer 2 · answered Oct 12 '18 at 08:49

As stated, option 1 is certainly not advised. DMARC will cause these mails to be rejected.

Option 2 can work correctly. We would advise you to add a DKIM signature to these mails to increase trustworthiness and build a domain reputation on your d= domain. This could cause Google to prevent the 'big alert' if they would trust your domain 'enough'.

However.... Your wish is to send mail on behalf of your customers. Therefore a third option could also be to make sure your clients allow you to do so. This could mean they would allow you through their SPF record, but (preferably) you'd also want to take a look at signing these mails with a custom (per client) DKIM signature.

That would lead to these headers:

From: buyer@hotmail.com
Subject: I am interessted
To: seller@gmail.com

Does this help you and provide you with a solution?

Regards,

Michiel

DMARC Analyzer

Web-generated emails not compliant with DMARC

2 Answers2