David Jones skrev den 2017-05-19 21:36:
SPF: PASS with IP 96.5.1.12
DKIM: PASS with domain ena.com
DMARC: PASS
authentication-results: spamassassin.apache.org; dkim=none (message not
signed) header.d=none;spamassassin.apache.org; dmarc=none action=none
header.from=ena.com;
is something in your mailchain remove signed dkim ?
I guess the envelope-from is changed to the Mailman list which
would break the SPF alignment and it could be stripping out the
DKIM headers if you all are saying it's not there.
no no no no and no, maillists does not break spf, what happend is that
domain change on every mta, so it could still pass spf even if your own
domain is not spf protected, but as you see it is really a forwared mail
til maillist that pass spf on apache.org
this is spf, but you miss still to dkim sign to the maillist, this is
your error if you like to make dmarc reject policy
problem with rfcs for dmarc is that its not possible to whitelist
maillists servers so thay never reject on policy reject, what would
happend if we all reject on a single domain that have policy reject ?,
then no one would be subscripbed at the end, if one like to follow own
rules on reject
it would be nice if dmarc could handle reject policy better if spf
passed, maybe lua scripted ?
I guess I will have to sign up with my personal email address that
doesn't have p=reject. I guess as more an more domains move to
p=reject, then this is going to be a real problem. Mailing lists are
going to have to evolve how they send or something.
p=reject is fine, but missing dkim on that policy is not working
i still have to see docs on why this is not supported at all
https://dmarc.org/2017/03/can-i-use-dmarc-if-i-have-only-deployed-spf/
good page that does not help much on how to configure dmarc to not
reject maillists even for domain with policy reject
