NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Mailing-list misconfiguration?



I have analysed all the DMARC reports I have received so far and:

- SPF check failures only happen when I post to a mailing list (NetBSD or DragonFly).

- Most of the time, it doesn't matter if SPF check fails. Some servers even report they understand the message is coming from a mailing list:
<comment>looks forwarded, not quarantined for DMARC</comment>
or <comment>Policy ignored due to local mailing list policy</comment>

- On the 24 reports I have analysed, only 2 reported quarantine dispositions when *both* DKIM and SPF checks failed.
Here is an example:

  <record>
    <row>
      <source_ip>199.233.217.200</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>defert.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>netbsd.org</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>199.233.217.200</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>defert.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>defert.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>netbsd.org</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

In the end, you're right, there is probably no need to worry about this.

On 09/11/2020 13:49, Greg Troxel wrote:
Vincent DEFERT <20.100%defert.com@localhost> writes:

I'm receiving DMARC reports such as the one below. The 199.233.217.200
source_ip points at mail.netbsd.org.
Presumably you have configured your own domain for DMARC/DKIM/SPF.

My understanding is that when NetBSD's mailing-list software forwards
my posts to other subscribers, it keeps my email as sender address
instead of replacing it with netbsd-users%netbsd.org@localhost.
And because mail.netbsd.org is not listed in my SPF record (of
course), those forwarded emails are considered as spam.

Am I correct?
No.  The From: remains you (as it should)  and the MAIL FROM (aka
Return-Path:) is set to a NetBSD.org address, so that bounces go to the
list software, not the author.

SPF is required to check Return-Path: rather than From:.   I suggest you
read this in its entirety, but see especially 1.1.3, 2.3, 2.4, 11.2:

   https://tools.ietf.org/html/rfc7208

Your message (that I am replying to) arrived at my server and passed
both SPF and DKIM validation.

It could be that some validators are not doing SPF correctly.

I note that in your report there also seem to be DKIM failures.  But
your message and Ottavio's  both passed DKIM at my verifier.


Are you finding that every DMARC verifier fails?  Or just some?



Home | Main Index | Thread Index | Old Index