Please keep replies on-list only. Duplicates of anything sent to the
list are just a nuisance.
On 2021-07-14 at 20:51:03 UTC-0400 (Thu, 15 Jul 2021 10:51:03 +1000)
raf <post...@raf.org>
is rumored to have said:
On Wed, Jul 14, 2021 at 09:07:54AM -0400, Bill Cole
<postfixlists-070...@billmail.scconsult.com> wrote:
On 2021-07-14 at 03:43:57 UTC-0400 (Wed, 14 Jul 2021 17:43:57 +1000)
raf <post...@raf.org>
is rumored to have said:
Here's a (silly) thing that wrong with DMARC: :-)
I've sent two messages to this mailing list so far, and
I've received 52 DMARC forensic/failure report emails
as a result! :-)
There are 2 different and contradictory DMARC records in DNS for
raf.org.
That guarantees breakage.
I think it's in the process of propagating.
I don't know what's taking it so long.
Your primary nameserver is returning 2 TXT records for _dmarc.raf.org,
so this is not a propagation issue.
[...]
SPF is intended to be used with the envelope sender address and
(secondarily) the HELO/EHLO hostname argument. If those do not
'align'
with the header From address, DMARC will not use SPF.
When you say "DMARC will not use SPF", does that mean
that a difference between the envelope address and the
From: address constitutes a DMARC+SPF failure?
Yes. Best explanation I've seen:
https://mxtoolbox.com/dmarc/spf/spf-alignment
And
specifically, a failure relating to the From: domain?
DMARC is always relating to the From header address.
If the envelope sender (often: Return-Path) is verified by SPF and
aligns with the From header address, DMARC passes.
If there is a valid DKIM signature for a domain which aligns with the
From header address, DMARC passes.
Is it a DMARC+SPF failure relating to the envelope
domain as well? i.e. could failure reports be sent to
both domains if both "reporting policies" requested it?
Have you considered reading the RFC for yourself?
https://datatracker.ietf.org/doc/html/rfc7489
DMARC is designed to break the traditional practices of both simple
transparent forwarding and discussion mailing lists. To do so, it
allows the
use of SPF in a manner it was never intended to be used, to "align"
with the
header From address. Since mailing lists properly use their own
domain in
the envelope, SPF for a mailing list delivery will never align with
the
author's From header.
If you want to post to discussion mailing lists, you should either
use a
From address in a domain without any DMARC record or publish one with
a
p=none policy and sign your messages with DKIM, even though they are
likely
to be broken by the mailing list.
My policy is p=none. Hopefully, that'll be sufficient to limit any
damage.
Based on other traffic here in a collateral subthread in the past day,
it is not. At least one person running a mail server and discussing
their choices in public is convinced that if your message is reformatted
in transit in any way or if mailing list software adds anything to the
body or Subject, your now-broken signature is a sound reason to reject
your message arriving via a mailing list, because "there is no reason
why such messages should pollute the receiving systems." The resulting
damage should be isolated to his system.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
