On Wed, Jul 14, 2021 at 09:34:22PM -0400, Bill Cole <postfixlists-070...@billmail.scconsult.com> wrote:
> Please keep replies on-list only. Duplicates of anything sent to the list > are just a nuisance. Will do. That's my preference too, but different lists have different opinions about that. > On 2021-07-14 at 20:51:03 UTC-0400 (Thu, 15 Jul 2021 10:51:03 +1000) > raf <post...@raf.org> > is rumored to have said: > > > On Wed, Jul 14, 2021 at 09:07:54AM -0400, Bill Cole > > <postfixlists-070...@billmail.scconsult.com> wrote: > > > > > On 2021-07-14 at 03:43:57 UTC-0400 (Wed, 14 Jul 2021 17:43:57 +1000) > > > raf <post...@raf.org> > > > is rumored to have said: > > > > > > > Here's a (silly) thing that wrong with DMARC: :-) > > > > I've sent two messages to this mailing list so far, and > > > > I've received 52 DMARC forensic/failure report emails > > > > as a result! :-) > > > > > > There are 2 different and contradictory DMARC records in DNS for > > > raf.org. > > > That guarantees breakage. > > > > I think it's in the process of propagating. > > I don't know what's taking it so long. > > Your primary nameserver is returning 2 TXT records for _dmarc.raf.org, so > this is not a propagation issue. Thanks. It's fixed now (and the propagation issue as well). > [...] > > > SPF is intended to be used with the envelope sender address and > > > (secondarily) the HELO/EHLO hostname argument. If those do not > > > 'align' > > > with the header From address, DMARC will not use SPF. > > > > When you say "DMARC will not use SPF", does that mean > > that a difference between the envelope address and the > > From: address constitutes a DMARC+SPF failure? > > Yes. Best explanation I've seen: > https://mxtoolbox.com/dmarc/spf/spf-alignment > > > And > > specifically, a failure relating to the From: domain? > > DMARC is always relating to the From header address. > > If the envelope sender (often: Return-Path) is verified by SPF and aligns > with the From header address, DMARC passes. > > If there is a valid DKIM signature for a domain which aligns with the From > header address, DMARC passes. > > > Is it a DMARC+SPF failure relating to the envelope > > domain as well? i.e. could failure reports be sent to > > both domains if both "reporting policies" requested it? > > Have you considered reading the RFC for yourself? > https://datatracker.ietf.org/doc/html/rfc7489 Yes. Will do. Thanks for being as generous with your time as you have been. I'll stop now. :-) > > > DMARC is designed to break the traditional practices of both simple > > > transparent forwarding and discussion mailing lists. To do so, it > > > allows the > > > use of SPF in a manner it was never intended to be used, to "align" > > > with the > > > header From address. Since mailing lists properly use their own > > > domain in > > > the envelope, SPF for a mailing list delivery will never align with > > > the > > > author's From header. > > > > > > If you want to post to discussion mailing lists, you should either > > > use a > > > From address in a domain without any DMARC record or publish one > > > with a > > > p=none policy and sign your messages with DKIM, even though they are > > > likely > > > to be broken by the mailing list. > > > > My policy is p=none. Hopefully, that'll be sufficient to limit any > > damage. > > Based on other traffic here in a collateral subthread in the past day, it is > not. At least one person running a mail server and discussing their choices > in public is convinced that if your message is reformatted in transit in any > way or if mailing list software adds anything to the body or Subject, your > now-broken signature is a sound reason to reject your message arriving via a > mailing list, because "there is no reason why such messages should pollute > the receiving systems." The resulting damage should be isolated to his > system. I meant it in the context of a continued absence of DKIM signatures. > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire cheers, raf
