-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 07.08.2015 um 02:03 schrieb Charles Swiger: > On Aug 6, 2015, at 4:25 PM, Heiko Richter <em...@heikorichter.name > <mailto:em...@heikorichter.name>> wrote: >> Whenever I post something to the list (I'm not using SMTP, I'm >> using a usenet server to post to comp.protocols.dns.bind), my >> postmaster address receives DMARC notifications from list members >> that have employed this wonderful protocol on their servers, >> telling me my message had been rejected for violating my SPF >> policy. >> >> My SPF record doesn't include lists.ist.org >> <http://lists.ist.org/>, of course and it never will. Furthermore >> it ends with "-all" so all my messages to the list are being >> rejected by list members who have spf aware servers. > > DMARC makes assumptions which do not play nicely with mailing > lists-- in particular, a mailing list is always going to want to > use a bounce address within it's own domain to notice failing > delivery-- so SPF usually isn't going to match. > > The choices I see are to either list the mailservers of the mailing > lists you participate on in your SPF records, convince the folks > receiving your mail to whitelist the ISC mailing servers from SPF / > DMARC checks, and/or change your SPF policy from -all to something > less strict.
Changing to ~all will indeed solve the problem at the mta-level. But it will make filters like spamassassin create false-positives and probably dump the mails into user's spam-folders. This will poisen the bayes filter and - depending on what the users do with their spam - you run the risk of getting reported to RBLs, so not a good idea. > > Otherwise, accept that the choices you've made mean the messages > you send will frequently bounce. > >> So ISC: please fix your list servers, let them rewrite the From >> headers! > > How would this help? Changing the From header breaks your domain's > DKIM signing; are you asking them to take ownership of your > messages and then DKIM sign them on behalf of isc.org > <http://isc.org>? That breaks normal email replies. OK, didn't think about DKIM, changing the From header won't work either. > > Even the DMARC FAQ is honest enough to note that every alternative > has major cons: > > > https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F > > Regards, -- -Chuck > Just found another solution, that will help with any DMARC-aware server that knows Sender-ID. I just published: heikorichter.name. 60 IN TXT "spf2.0/pra ?all" This will force DMARC to check only the envelope sender, which is changed by lists.isc.org as /dev/rob0 pointed out earlier.... Heiko -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJVxAG2AAoJECKEz6pWghImYnIP/2WHWKQEkRetRAl8uB92Dnqz e/i0tCJcEI5o2JMvuPiykRNB6Mb04z+TPTyP2FmXFe33zCs8CWp9pV1dcn0A1nbp voZ7zZ7p2nQr0vR9Tj5XDjHN3bucI97VMUYVWiRK+9Pw7+vjdhMKW5dn2M/qveJY /95IJX2NKLu6ZUsL5eyZIdhQb+3wJ+EfkcwdGOGLlhZ9EihqozRe1qgplcVJDJUs owo0hgRrbL+s/h7Dz3VOk1g0SYk4EYb/xcc2I558CKhu8VmcfXA8DIXIsGOuvTzV 5RJumYvp7JCwinPoNDcMiy3Db8AXw2mTbF1Q3oWxt1CmF7LITHV9ltVuU2nH22Lq WGkk2ErMgHwaRONXybfUNlsA5s6njVOIx3RcNyb4qOEsgoOvWG7bxhnj7XOCP84p ZwFyNHvamT/PVqQKBybDwec1Urdw+VWf11byzto+E/+wJt0ELH1yD4uqigxy3DXP 9qOzOjKFDNNt2WqRHdf+O9HPSCsQXAMjTEXReUg6OFWox19UEAbEYx4i3Vx+SeUP RsG9a6kG2vWlf6A6i20XZYHiYLH+lI1OT5x706QyA3GY0vWlkvUgxCHPf3JiX77c tFtrp0tyX/PRCvn2demNNr7fTteuGcRPjFuzhezaoZBVgKkuJ0E5kWwsDYgDMfMi YIeqlm0uIYCOTn0Fs4p5 =/b+D -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
