On 07-15-2021 3:30 am, Nick Tait wrote:
This is not entirely necessary. If you send to a list, using a From
address in a domain that has a DMARC policy (i.e. with p=quarantine or
p=reject), then provided that the message is properly DKIM-signed by
the From domain and hasn't been modified in a way that breaks that
signature, then there is no problem. The reason is because the DKIM
check still passes, and DMARC only requires the SPF check _or_ the DKIM
check to pass, it doesn't need both. The main problem I've seen is when
someone sends an email to a list, using a From address in a domain that
has a DMARC policy, where the domain doesn't DKIM-sign the messages. In
this case, because the mailing list forwards the email using a
different envelope address, there is no way that DMARC can be
satisfied.
In my experience DMARC works well if you set it up properly. But
unfortunately there are many opportunities for mail server
administrators to set it up badly, and that's when it causes problems.
And FWIW, I've never seen evidence of any DKIM signature breakage from
this mailing list (i.e. Postfix Users). But perhaps other mailing list
software might be problematic?
After hearing all sides, i decided to try using policy settings
recommended by Viktor. Since then I've had two emails from this list
rejected by DMARC which now confuses me. The email didn't fail SPF or
DKIM.
postfix/smtpd[226953]: connect from camomile.cloud9.net[168.100.1.3]
policyd-spf[226970]: prepend Received-SPF: None (mailfrom)
identity=mailfrom; client-ip=168.100.1.3; helo=camomile.cloud9.net;
envelope-from=owner-postfix-us...@postfix.org; receiver=<UNKNOWN>
postfix/smtpd[226953]: 4GQLM7378Wz4l3hN:
client=camomile.cloud9.net[168.100.1.3]
postfix/cleanup[226977]: 4GQLM7378Wz4l3hN: info: header Subject: Re:
Conditional milter_header_checks? from camomile.cloud9.net[168.100.1.3];
from=<owner-postfix-us...@postfix.org> to=<post...@ptld.com> proto=ESMTP
helo=<camomile.cloud9.net>
postfix/cleanup[226977]: 4GQLM7378Wz4l3hN:
message-id=<20210715040216.ga27...@raf.org>
opendkim[221168]: 4GQLM7378Wz4l3hN: camomile.cloud9.net [168.100.1.3]
not internal
opendkim[221168]: 4GQLM7378Wz4l3hN: not authenticated
opendkim[221168]: 4GQLM7378Wz4l3hN: no signature data
opendmarc[221165]: 4GQLM7378Wz4l3hN: raf.org fail
postfix/cleanup[226977]: 4GQLM7378Wz4l3hN: milter-reject: END-OF-MESSAGE
from camomile.cloud9.net[168.100.1.3]: 5.7.1 rejected by DMARC policy
for raf.org; from=<owner-postfix-us...@postfix.org>
to=<post...@ptld.com> proto=ESMTP helo=<camomile.cloud9.net>
postfix/smtpd[226953]: disconnect from camomile.cloud9.net[168.100.1.3]
ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7
Was SPF looking up records for raf.org or for cloud9.net? I see both of
those domains have published SPF records so why was SPF "None"?
Why did DMARC reject this even though it didn't fail either check?
