On 2021-07-14 at 03:43:57 UTC-0400 (Wed, 14 Jul 2021 17:43:57 +1000) raf <post...@raf.org> is rumored to have said:
Here's a (silly) thing that wrong with DMARC: :-) I've sent two messages to this mailing list so far, and I've received 52 DMARC forensic/failure report emails as a result! :-)
There are 2 different and contradictory DMARC records in DNS for raf.org. That guarantees breakage.
Also, publishing DMARC records at all without DNSSEC is silly.
For what it's worth, anyone on these lists with SPF might want to add these to their SPF record: ip4:168.100.1.3 ip4:168.100.1.4 ip4:168.100.1.7 ip6:2604:8d00:0:1::3 ip6:2604:8d00:0:1::4 ip6:2604:8d00:0:1::7 It would be good if mailing lists published spf records that members could include: in their spf records. But I suppose most people wouldn't be able to benefit from
That is not scalable, won't actually work, and would be a misuse of SPF. SPF is intended to be used with the envelope sender address and (secondarily) the HELO/EHLO hostname argument. If those do not 'align' with the header From address, DMARC will not use SPF.
DMARC is designed to break the traditional practices of both simple transparent forwarding and discussion mailing lists. To do so, it allows the use of SPF in a manner it was never intended to be used, to "align" with the header From address. Since mailing lists properly use their own domain in the envelope, SPF for a mailing list delivery will never align with the author's From header.
If you want to post to discussion mailing lists, you should either use a From address in a domain without any DMARC record or publish one with a p=none policy and sign your messages with DKIM, even though they are likely to be broken by the mailing list.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
