On Fri, 22 Nov 2019 at 11:26, Jaroslaw Rafa <r...@rafa.eu.org> wrote:
> Dnia 22.11.2019 o godz. 10:45:42 Wesley Peng pisze: > > > > So mailing list makes DKIM or SPF failed? > > > > Thank you for your helps. > > My opinion is that the actual problem is that people who invented SPF > and/or > DMARC had wrong assumptions about how email works/should work. > > They assumed email is a straight and simple one-to-one communication like > HTTP. If you send a mail from user1@xxx to user2@yyy, it goes straight > from > sending server for domain xxx to receiving server for domain yyy. So the > receiving server can check if the email is coming from a "valid", > "authorized" server for domain xxx (despite the fact that there isn't - and > never was - such thing as "valid sending server" for any domain). > > This concept puts mailing lists, email forwarding and similar things > completely out of scope. I would dare to say that these things simply did > not > exist for inventors of SPF/DMARC. That means, they obviously knew these > things exist, but assumed they are completely unimportant and shouldn't (in > their approach) be used. > > Big email providers started adopting SPF/DMARC etc. also without much > thinking about these seemingly "unimportant" use cases, and then suddenly > it > turned out that we have quite a problem. > > You may disagree of course, but that's just how I see it. There is a quite > old article about why SPF is wrong, but in my opinion this article didn't > date a bit: http://david.woodhou.se/why-not-spf.html The limitations you describe affect SPF but not DMARC because DMARC can rely *either* on SPF *or* on DKIM. There are limitations on DKIM through mailing lists which depend on the mailing list settings and on which headers that the sender has chosen to sign. However sensibly-designed mailing lists (like this one) can work with DKIM-signed emails where the signed headers are not specified too aggressively, and so should still pass DMARC testing (i.e. DKIM + DKIM-alignment both pass).
