On Tue 13/Jul/2021 01:41:19 +0200 Brandon Long wrote:
On Mon, Jul 12, 2021 at 2:41 PM Mark Fletcher via mailop <mailop@mailop.org>
On Mon, Jul 12, 2021 at 2:27 AM Lena--- via mailop <mailop@mailop.org> wrote:
messages from mailing lists (at groups.io) from authors @yandex.ru
are rejected by mail.ru though DMARC for yandex.ru is p=none.
I've changed it so that groups.io is now re-writing the From line for
all email we send to mail.ru, regardless of the sender's DMARC policy.
This will allow your mail.ru members to receive messages sent through us.
Relatedly, it does seem like the expectation these days is for mailing
list software to re-write the From line when p=none (not just
reject/quarantine, which is what we currently do). It is not uncommon for
us to get enquiries from people setting up DMARC for their domains. They
start with p=none, see a bunch of reports about email sent through us
failing that, and then contact us about it, understandably thinking it's
something that they need to contact us about fixing before they move to a
more strict setting. For others here running mailing lists that pay
attention to DMARC settings, do you treat p=none differently than
reject/quarantine?
There are some disagreements about it. There are some domains which are
marked p=none that have no plans to move to quarantine/reject, and
obviously others that do.
The experience with mailing lists rewriting from is less than perfect,
though it's also probably only a small fraction of users who care one way
or another.
We split the baby with requiring p=quarantine pct=0 as a definitive next
step to have the mailing list react, but apparently pct=0 isn't handled by
everyone, so it will be equal to pct=100 for some.
While p=quarantine pct=0 takes root, From: munging can be undone at the
receiver's if authors DKIM sign properly. For example, in the message I'm
replying to I got:
Authentication-Results: wmail.tana.it;
spf=pass smtp.mailfrom=mailop.org;
dkim=pass reason="Original-From: transformed" header.d=google.com
That implies the original signature verified. My MDA restores the
Original-From when it sees that reason, thereby undoing munging.
What I'm unclear about is whether DMARC reports about that should be sent also
to the restored From: (google.com in this case) of just to mailop.org. Mark's
worries about people seeing a bunch of reports about email sent through mailing
lists would suggest to not report them. Yet, feedback can be useful to adjust
DKIM signing. Hints?
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
