Cloud Services Thread, Google Apps compliance filters don't always work if the sender uses DKIM in Technical; Do you use Google Apps for your pupil email?
Do you use Objectionable Content or Content Compliance filters to copy ...
22nd October 2012, 08:46 AM #1
Google Apps compliance filters don't always work if the sender uses DKIM
Do you use Google Apps for your pupil email?
Do you use Objectionable Content or Content Compliance filters to copy you into messages with bad language, or to messages from certain senders such as Facebook?
Did you know that in certain circumstances those messages won't actually be copied to you?
No, neither did I. It seems that Google did, but hadn't really told anyone, and it took 5 weeks of back and forth with support before someone figured out that was what was happening in our case. Here's how it can fail:
- You have a compliance filter set up that when triggered, adds an extra recipient to the email (i.e. copies it to you or someone else tasked with monitoring).
- The filter also has the Prepend custom subject option enabled, (e.g. adding "Email misuse" to the subject).
- A message is sent from a sender that uses DKIM (DomainKeys Identified Mail) on their outgoing mail server.
- The sender's DMARC TXT record in DNS is set to instruct mail servers to reject any message for which DKIM fails.
In these circumstances, there is a very high chance that the message will not be delivered to the additional recipient. This is because DKIM indicates that the message is a forgery if the subject field is modified, so it is rejected as spam.
For those unfamiliar, DKIM adds a digitial signature to the email based on the message body and some of the headers. The list of headers that is signed almost always includes the subject (as well as from, to, and any others the sender specifies). The sender can then add a TXT record in DNS that tells receiving mail servers what to do if the signature verification fails. In many cases, such as with Facebook, this is set to reject. When Google Apps modifies the subject, the digital signature is no longer valid, and Gmail will then automatically reject the message when it tries to deliver it to the additional recipient.
So, guess who found out 5 weeks ago that he wasn't getting notifications that a load of under-13 pupils had registered for Facebook with their school email addresses?
The workaround is simple once you know what is going on: don't use the Prepend custom subject option. Google are working on a fix, but it's not ready yet. The following is from the support engineer that dealt with our case, from whom I have permission to share this:
In the meantime, check your filters and remove the custom subject option if you're using it.
We have plans in the works to change the nature of message delivery so that messages that are modified by Objectionable Content or Content Compliance filters will not be subject to DKIM failures as a result of the message being modified as was the case here. ... I was informed that our engineers have already scoped out all of the necessary changes and that the new behavior will likely be deployed within about a month.
3 Thanks to JSchlackman:
GrumbleDook (22nd October 2012), IrritableTech (22nd October 2012), ZeroHour (22nd October 2012)
IDG Tech News
By localzuk in forum General Chat
Last Post: 9th March 2011, 10:32 AM
By jgcracknell in forum Internet Related/Filtering/Firewall
Last Post: 30th November 2010, 11:25 PM
By reggiep in forum General Chat
Last Post: 10th October 2008, 06:32 AM
By alonebfg in forum Virtual Learning Platforms
Last Post: 3rd April 2008, 09:16 PM
By ChrisH in forum General Chat
Last Post: 22nd November 2005, 09:01 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread