> Am 15.12.2014 um 00:36 schrieb Wietse Venema <wie...@porcupine.org>: > > Christian R??ner: >> >>> Am 14.12.2014 um 23:53 schrieb Wietse Venema <wie...@porcupine.org>: >>> >>> Christian R??ner: >>>> sorry, if this question might be a little off-topic, but I really >>>> do not understand some DMARC reports that I receive in conjunction >>>> to this mailing list and maybe someone can help me in digging down >>>> the problem: >>> >>> Perhaps a stupid question: can you exclude DNS lookup problems? >>> Packet loss happens, and for practical reasons verifiers cannot >>> retry indefinitely. >> >> There is a local unbound resolver on the MX and there are to BIND9 resolvers. >> >> We do have packet loss very seldom. It's a fibre line. >> >> So I would not expect these problems. > > Not between your own systems. > > What about the rest of the Internet? I doubt that your local SLA > covers communication with remote destinations.
I found the answer and I fear there is no chance to solve this: https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1 It’s the problem with DMARC. Nearly the same problem that I posted some days ago. It’s all about the RFC5322 from address. DMARC uses this information and checks SPF and DKIM against this header field. So it is not enough to have SPF passed; it also MUST have been sent from a SPF legitimated system. As Postfix mailing list does not send with its mailing list address (which would solve this problem) as RFC5322 from address, the SPF test will always fail. So most lists are not DMARC-ready. See under 1. Introduction 2. Receivers compare the RFC5322 From: address in the mail to the SPF and DKIM results, if present, and the DMARC policy in DNS. 3.1.1. Authentication Mechanisms The following mechanisms for determining Authenticated Identifiers are supported in this version of DMARC: o [DKIM], which provides a domain-level identifier in the content of the "d=" tag of a validated DKIM-Signature header field. o [SPF], which authenticates the domain found in an [SMTP] MAIL command when it is the authorized domain. An authorized domain is defined like: 3. Terminology and Definitions Author Domain: The domain name of the apparent author, as extracted from the RFC5322.From field. So I only can ask mailing list administrators to fix there lists, but I fear only a few will do this. If I look at dmarc.org at the bottom, there are many organizations right now that use DMARC, so this topic will probably come up more and more. Thanks for helping Christian -- Bachelor of Science Informatik Erlenwiese 14, 36304 Alsfeld T: +49 6631 78823400, F: +49 6631 78823409, M: +49 171 9905345 USt-IdNr.: DE225643613, http://www.roessner-network-solutions.com
signature.asc
Description: Message signed with OpenPGP using GPGMail
