Why does DMARC fail for forwarded emails from this particular domain when it passes for all other domains?

I run a virtual mail server that forwards emails to my domain to a Gmail address, and I use PostSRSd to rewrite the addresses. For example, if someone sends an email to [email protected], my mail server will rewrite the address (to something like [email protected]) and forward it to my email at [email protected].

This rewriting is essential, because otherwise the forwarded emails will fail SPF checks. I'm not sure if it will fail DKIM if the address is not rewritten, but I assume it will.

PostSRSd works out well for us most of the time. Emails to our virtual domain pass SPF, DKIM and DMARC, which makes deliverability excellent. Here's the typical mail header for the checks:

Authentication-Results: mx.google.com;
   dkim=pass [email protected] header.s=hs1 header.b=fFjMRTbn;
   dkim=pass [email protected] header.s=hs2-8105018 header.b=AHU209VN;
   spf=pass (google.com: domain of srs0=8nnb=bp=bf08x.hubspotemail.net=1axb6baq5yhbqc79kzmzee6yv7e5d09kmo07f2-john=mydomain.com@mydomain.com designates 123.234.123.124 as permitted sender) smtp.mailfrom="SRS0=8nNb=BP=bf08x.hubspotemail.net=1axb6baq5yhbqc79kzmzee6yv7e5d09kmo07f2-john=imago-images.de@mydomain.com";
   dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=imago-images.de

However, emails from a particular domain ichat.sp.edu.sg (this is the actual domain) never get delivered if they try to send emails to my domain, because the forwarding process causes it to fail Gmail's DMARC checks. Here is the mail header for one such mail:

Authentication-Results: mx.google.com;
   dkim=pass [email protected] header.s=selector2-ichatspedu-onmicrosoft-com header.b="LeXRlSh/";
   arc=pass (i=1 spf=pass spfdomain=ichat.sp.edu.sg dkim=pass dkdomain=ichat.sp.edu.sg dmarc=pass fromdomain=ichat.sp.edu.sg);
   spf=pass (google.com: domain of [email protected] designates 123.234.123.124 as permitted sender) smtp.mailfrom="[email protected]";
   dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sp.edu.sg

I'm not sure what causes DMARC to fail in this particular case. ChatGPT (as well as Postfix) says it has something to do with the DMARC records of sp.edu.sg, but I'm not very sure what it is. Can anyone help? And can I do anything on my end to alleviate this if sp.edu.sg does not do anything?

For reference, here is the TXT record for _dmarc.sp.edu.sg:

v=DMARC1; p=reject; rua=mailto:[email protected], mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Why DMARC failed

In the failed header, neither SPF nor DKIM domains aligns with ichat.sp.edu.sg, and this caused DMARC to fail.

It seems they don't sign DKIM using their own domain, and relies on SPF domain to pass DMARC alignment, which were rewritten by your forwarder. (Or perhaps their mail servers are not properly configured at all and DMARC fails with or without your forwarder.)

Explanations for DMARC alignment can be fonud on Wikipedia. Basically it states the domain in a message's from header must match one of the domains in SPF or DKIM.

Further, any mails that relies on SPF domain and not DKIM domain to pass DMARC, won't pass DMARC after your forwarder.

I don't think there's anything you can do, if you are not from ichat.sp.edu.sg.

Better ways

... to achieve what you are trying to do would be:

• To designate your server as a Gmail inbound mail gateway, which requires Google Workspace subscriptions. Google won't test DMARC for this.

• Or you can try programmatically insert forwarded mails using Gmail API. You won't be using SMTP, and no need passing any tests.