Preserve sender authentication headers (SPF, DKIM, DMARC)

[FallenWarrior2k]

First of all, thank you for this product. I really like it so far.

However, one thing I noticed when I inspected the forwarded mails was that they do not contain the original headers for SPF, DKIM, and DMARC.
I have to admit that I haven't perused the source code, so I don't know if mails that fail one of these are being forwarded in the first place, but assuming they are, it would be very helpful to be able to see those results.

[nguyenkims]

@FallenWarrior2k hey SimpleLogin forwards email by creating a new email, then send it to your mailbox from the reverse-alias. Because of that, SimpleLogin computes and overrides the original DKIM headers. SPF, DKIM and DMARC are taken into account when an email is sent to an alias to detect whether the email is legitimate but these headers are indeed dropped in the forwarded email.

[FallenWarrior2k]

I'm sorry, my initial post was unclear. I wasn't necessarily asking for original signatures and everything to be preserved because I am aware that SimpleLogin modifies the message as it passes through.

SPF, DKIM and DMARC are taken into account when an email is sent to an alias to detect whether the email is legitimate

That is good to know, but I think it would be nice to have some indication for mails where the sending domain doesn't actively approve of the message, while also not requesting that it be rejected. Cases like the relevant DNS records simply not existing, for example.
I know that SimpleLogin already adds several custom X-Simplelogin-* headers, so I was wondering if it was possible to keep the original Authentication-Results headers as X-Simplelogin-Authentication-Results or something like that?

[nguyenkims]

This is definitely possible though it'd increase the email size. Can I know what do you want to do with this header :)?

[FallenWarrior2k]

I've in the past had legitimate emails from (usually smaller) sites that failed at least one authentication mechanism (often DMARC alignment due to seemingly misconfigured relays) or simply didn't have them configured (right). For those, it would be nice to be able to inspect the authentication results, as DMARC is often configured to not outright reject messages (similarly for SPF soft-fail). You said that these authentication mechanisms are "taken into account" by SimpleLogin, which I'm assuming means rejecting mails that are supposed to be rejected, but I don't know how SimpleLogin currently treats mails that would usually "just" be flagged but not rejected. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

…

On Tuesday, March 23, 2021 6:30 PM, Son Nguyen Kim ***@***.***> wrote: This is definitely possible though it'd increase the email size. Can I know what do you want to do with this header :)? — You are receiving this because you were mentioned. Reply to this email directly, [view it on GitHub](#408 (reply in thread)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AE3A7FKHEBO77C5YJLHBFT3TFDF3BANCNFSM4ZRWHBPQ).

[nguyenkims]

I see, thanks for the explication! Do you happen to want to work on this feature :)?

You said that these authentication mechanisms are "taken into account" by SimpleLogin, which I'm assuming means rejecting mails that are supposed to be rejected, but I don't know how SimpleLogin currently treats mails that would usually "just" be flagged but not rejected.

Yes failing SPF, DKIM, DMARC contributes a factor that might refuse (bounce) the email but this isn't the only factor.

[developStorm]

SRS ( #160 ) might be able to solve this in a decent way but it's not very easy to implement 😂