+ Post New Thread
Results 1 to 1 of 1
Cloud Services Thread, Google Apps compliance filters don't always work if the sender uses DKIM in Technical; Do you use Google Apps for your pupil email? Do you use Objectionable Content or Content Compliance filters to copy ...
  1. #1

    Join Date
    Dec 2007
    Potomac, MD, USA
    Thank Post
    Thanked 28 Times in 14 Posts
    Rep Power

    Exclamation Google Apps compliance filters don't always work if the sender uses DKIM

    Do you use Google Apps for your pupil email?
    Do you use Objectionable Content or Content Compliance filters to copy you into messages with bad language, or to messages from certain senders such as Facebook?
    Did you know that in certain circumstances those messages won't actually be copied to you?

    No, neither did I. It seems that Google did, but hadn't really told anyone, and it took 5 weeks of back and forth with support before someone figured out that was what was happening in our case. Here's how it can fail:

    1. You have a compliance filter set up that when triggered, adds an extra recipient to the email (i.e. copies it to you or someone else tasked with monitoring).
    2. The filter also has the Prepend custom subject option enabled, (e.g. adding "Email misuse" to the subject).
    3. A message is sent from a sender that uses DKIM (DomainKeys Identified Mail) on their outgoing mail server.
    4. The sender's DMARC TXT record in DNS is set to instruct mail servers to reject any message for which DKIM fails.

    In these circumstances, there is a very high chance that the message will not be delivered to the additional recipient. This is because DKIM indicates that the message is a forgery if the subject field is modified, so it is rejected as spam.

    For those unfamiliar, DKIM adds a digitial signature to the email based on the message body and some of the headers. The list of headers that is signed almost always includes the subject (as well as from, to, and any others the sender specifies). The sender can then add a TXT record in DNS that tells receiving mail servers what to do if the signature verification fails. In many cases, such as with Facebook, this is set to reject. When Google Apps modifies the subject, the digital signature is no longer valid, and Gmail will then automatically reject the message when it tries to deliver it to the additional recipient.

    So, guess who found out 5 weeks ago that he wasn't getting notifications that a load of under-13 pupils had registered for Facebook with their school email addresses?


    The workaround is simple once you know what is going on: don't use the Prepend custom subject option. Google are working on a fix, but it's not ready yet. The following is from the support engineer that dealt with our case, from whom I have permission to share this:

    We have plans in the works to change the nature of message delivery so that messages that are modified by Objectionable Content or Content Compliance filters will not be subject to DKIM failures as a result of the message being modified as was the case here. ... I was informed that our engineers have already scoped out all of the necessary changes and that the new behavior will likely be deployed within about a month.
    In the meantime, check your filters and remove the custom subject option if you're using it.

  2. 3 Thanks to JSchlackman:

    GrumbleDook (22nd October 2012), IrritableTech (22nd October 2012), ZeroHour (22nd October 2012)

+ Post New Thread

Similar Threads

  1. Google Apps for Education - email filtering options?
    By localzuk in forum General Chat
    Replies: 1
    Last Post: 9th March 2011, 11:32 AM
  2. Postini Filtering in Google Apps (list help!)
    By jgcracknell in forum Internet Related/Filtering/Firewall
    Replies: 0
    Last Post: 1st December 2010, 12:25 AM
  3. Replies: 12
    Last Post: 10th October 2008, 07:32 AM
  4. google apps
    By alonebfg in forum Virtual Learning Platforms
    Replies: 8
    Last Post: 3rd April 2008, 10:16 PM
  5. Google images completely filtered in Lancs?
    By ChrisH in forum General Chat
    Replies: 12
    Last Post: 22nd November 2005, 10:01 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts