On Wed, Jul 14, 2021 at 09:07:54AM -0400, Bill Cole <postfixlists-070...@billmail.scconsult.com> wrote:
> On 2021-07-14 at 03:43:57 UTC-0400 (Wed, 14 Jul 2021 17:43:57 +1000) > raf <post...@raf.org> > is rumored to have said: > > > Here's a (silly) thing that wrong with DMARC: :-) > > I've sent two messages to this mailing list so far, and > > I've received 52 DMARC forensic/failure report emails > > as a result! :-) > > There are 2 different and contradictory DMARC records in DNS for raf.org. > That guarantees breakage. I think it's in the process of propagating. I don't know what's taking it so long. > Also, publishing DMARC records at all without DNSSEC is silly. > > > For what it's worth, anyone on these lists with SPF > > might want to add these to their SPF record: > > ip4:168.100.1.3 > > ip4:168.100.1.4 > > ip4:168.100.1.7 > > ip6:2604:8d00:0:1::3 > > ip6:2604:8d00:0:1::4 > > ip6:2604:8d00:0:1::7 > > > > It would be good if mailing lists published spf records > > that members could include: in their spf records. But I > > suppose most people wouldn't be able to benefit from > > That is not scalable, won't actually work, and would be a misuse of SPF. Yes, I was being silly. > SPF is intended to be used with the envelope sender address and > (secondarily) the HELO/EHLO hostname argument. If those do not 'align' > with the header From address, DMARC will not use SPF. When you say "DMARC will not use SPF", does that mean that a difference between the envelope address and the From: address constitutes a DMARC+SPF failure? And specifically, a failure relating to the From: domain? Is it a DMARC+SPF failure relating to the envelope domain as well? i.e. could failure reports be sent to both domains if both "reporting policies" requested it? > DMARC is designed to break the traditional practices of both simple > transparent forwarding and discussion mailing lists. To do so, it allows the > use of SPF in a manner it was never intended to be used, to "align" with the > header From address. Since mailing lists properly use their own domain in > the envelope, SPF for a mailing list delivery will never align with the > author's From header. > > If you want to post to discussion mailing lists, you should either use a > From address in a domain without any DMARC record or publish one with a > p=none policy and sign your messages with DKIM, even though they are likely > to be broken by the mailing list. My policy is p=none. Hopefully, that'll be sufficient to limit any damage. Thanks. > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire cheers, raf
