On Fri, Aug 7, 2015 at 2:57 AM, Reindl Harald <h.rei...@thelounge.net> wrote:
> > Am 07.08.2015 um 01:25 schrieb Heiko Richter: > >> So ISC: please fix your list servers, let them rewrite the From headers! >> > > please try to understand the topic before blaming! > http://wiki.list.org/DEV/DMARC > > * SPF is about envelopes and *never* from-headers > * the envelope is @lists.isc.org > > ...but DMARC is about mapping the domain in the "From" header to the domain authenticated in SPF or DKIM. From RFC7489: "Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment." and "DMARC authenticates use of the RFC5322.From domain by requiring that it match (be aligned with) an Authenticated Identifier." See also: https://dmarc.org/wiki/FAQ#What_is_the_difference_between_the_.22Mail_From.22_and_.22From_Header.22.2C_aren.27t_they_the_same.3F where it states: "DMARC protects the domain name of the RFC5322:From field against spoofing." Here are the headers from one message sent to this list: spf=pass (google.com: best guess record for domain of bind-users-boun...@lists.isc.org designates 2001:4f8:0:2::23 as permitted sender) smtp.mail=bind-users-boun...@lists.isc.org; dmarc=fail (p=REJECT dis=NONE) header.from=heikorichter.name SPF passes, but DMARC fails because the domain in the "From" header ( heikorichter.name) doesn't match the domain authenticated for SPF ( lists.isc.org). And the REJECT policy makes the handling of this more severe by a receiving MTA that implements DMARC. The link referenced above: http://wiki.list.org/DEV/DMARC indicates that mailman (v 2.1.18 and greater) has a setting (dmarc_moderation_action) to munge the From header when the sender's DMARC policy is set to REJECT or QUARANTINE, but leave it in tact otherwise. This is among the recommended solutions in: https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F Casey
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
