-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 07.08.2015 um 08:29 schrieb Matus UHLAR - fantomas: >>> On Aug 6, 2015, at 4:25 PM, Heiko Richter >>> <em...@heikorichter.name <mailto:em...@heikorichter.name>> >>> wrote: >>>> Whenever I post something to the list (I'm not using SMTP, >>>> I'm using a usenet server to post to >>>> comp.protocols.dns.bind), my postmaster address receives >>>> DMARC notifications from list members that have employed this >>>> wonderful protocol on their servers, telling me my message >>>> had been rejected for violating my SPF policy. >>>> >>>> My SPF record doesn't include lists.ist.org >>>> <http://lists.ist.org/>, of course and it never will. >>>> Furthermore it ends with "-all" so all my messages to the >>>> list are being rejected by list members who have spf aware >>>> servers. > > SPF must only check envelope address, not header From: address - it > was never designed to do the latter.
Correction: - ------------ All implementations of SPF always check 2 addresses: - Envelope-From address - From address SPF will fail whenever the client is not authorized to send for either the Envelope-From address or the From address. So while the list server changes the envelope from address, SPF will still fail as the client is not authorized for the From address. > > On 07.08.15 02:54, Heiko Richter wrote: >> Just found another solution, that will help with any DMARC-aware >> server that knows Sender-ID. I just published: heikorichter.name. >> 60 IN TXT "spf2.0/pra ?all" >> >> This will force DMARC to check only the envelope sender, which >> is changed by lists.isc.org as /dev/rob0 pointed out earlier.... > > How did your SenderID record look before? Before I only had SPF and no Sender ID. Before the change: heikorichter.name. 60 IN TXT "v=spf1 include:heikorichter.org -all" heikorichter.org. 60 IN TXT "v=spf1 mx -all" After the change: heikorichter.name. 60 IN TXT "spf2.0/pra ?all" heikorichter.name. 60 IN TXT "v=spf1 include:heikorichter.org -all" heikorichter.org. 60 IN TXT "v=spf1 mx -all" The "spf2.0/pra ?all" is SenderID, where "pra" forces the DMARC server to check only the Envelope-Sender against "v=spf1 mx -all". If you don't set that, SPF will always check both Envelope-From and Header-From. > > Note that it's the SenderID specification that is horribly broken > (btw, just because of mailing lists) and further any protocol that > uses it (does DMARC?) > > Blaming the ISC mailserver for not changing header address is > blaming it for doing something (all?) list servers did years before > microsoft came with the braindead SenderID specification that broke > this behaviour. > You seem to mix up SenderID and SPF. SPF is the thing that is broken as it always checks Envelope- and Header-From. Sender-ID is a way (the only way) to tell SPF it should just check one of them. After publishing the SenderID record the DMARC bounces stopped as the servers just check the Envelope-From now. Before SenderID the only way had been to live with the DMARC bounces or the make the list servers change the Header-From. But with SenderID there's a working alternative. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJVxM1pAAoJECKEz6pWghImbvoP/ji9zItzVuUmuyMEHVtRJmLy JIZzF3l3KbZtl2J3KCRdMeik7Dc0oOmn/gzbdmmnSwUCfKAjz/qeLihpYYaYEP21 ogM4P6kPE9aWGYIJs143ZpI2/jzK/cvjijxe0VnsfqsvbvXZ2KCbmGMta3trzVBz YtC6aQVmhyPAOaGylEePyhrjUl4vwPqibPVcpYneXgKg0FCysGMjsM3qQmhOLsnW 5vjt9uTKVbSen4TIK8bbwp0D4H+25WepD8mg141G7O1bd+mkgCCfP+L4C6Iiow4+ 8kFUtjCr82Iyb1d7bzIzisQr0YNgorFBW+b71nHa9IAW4ARJiCQ/aXzwY7facJFj 7Z0A4Y9Y0Nb5kEi8Gj3kJ/bHFkugWIoiDyZ+dYipARNEAurWnrA6OWM6n3QNb1Jh GTovUh7LF2Upbk8Hs8B/OR18gMXl6Pciiyd7qN2lKB7T3o5+ePZAGpuH31bSmJxo tKiAs7BIqz8iFw3jwuyVjch8FJciN0gBgoHHWxsFCBYWFXBeQO0BrOVlISX4blT/ Mb6zFvkozMy3rMS+PzO2I6+JiN081wy2l64UdDSPv18gbdjkRNn2LmfYAvRqLEq0 gHrWRcnDrbFT19t9ppGGsBpNwefGzVODy8KguRGEDcm0TcO1/cvds/svQWu7tbAf PNsqZQ+e0n4LxYuMWb8x =g9kt -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
