Any forwarding without RFC5322.From munging breaks SPF authentication for DMARC. With SRS message passes SPF but fails DMARC/SPF check because SPF domain after SRS is not aligned with RFC5322.From.
DKIM is supposed to solve the problem of MTA-level forwarding. But, mailing lists also break DKIM, unless From munging for DMARC-protected domains is supported, because mail content is modified. So, usually you have to keep some exclusion list of known/trusted/reputed forwarders excluded from DMARC check. Currently, it may be IP or DKIM based, if forwarder signs forwarded message with it's own DKIM. With ARC it will be ARC trust based. ARC is just another whitelist/reputation score you need to implement and support, it's wrong to think ARC solves forwarding problem out-of-box :( 20.11.2019 17:04, Paul Smith via mailop пишет: > On 20/11/2019 13:17, Jon Burke via mailop wrote: >> I know ISPs can enforce a stricter policy (e.g. reject although >> policy is p=quarantine) but I don’t often see ISPs applying a more >> lenient response than stated in the DMARC policy. I can think of one >> reason for doing so (user added the sender to his / her safe-sender >> list) and wanted to ask if you know of some other reasons? >> >> >> > Forwarded messages will fail SPF checks, so mail servers may decide to > accept messages that have failed SPF checks in case they've been > forwarded. > > Users still use MTA-level forwarding now, especially to free email > addresses like Hotmail & Gmail, so I guess those providers are stuck > between a rock and a hard place - either reject spoofed and forwarded > mail and upset users, or accept it and upset users. > > > > -- > > Paul Smith Computer Services > Tel: 01484 855800 > Vat No: GB 685 6987 53 > > Sign up for news & updates <http://http://www.pscs.co.uk/go/subscribe> > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Vladimir Dubrovin @ mail.ru
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
