Hey all, I'm one of the people who admins ISC's mail servers, and also receives all our DKIM/SPF/DMARC failure reports. (We use dmarcian.com)
We've seen a number of messages reported to us as having an isc.org "from" address, and as having our dkim signatures, but the signatures failing to verify, perhaps because a forwarder may have added a subject tag or rewritten some other header. Of course, SPF also fails because those servers aren't in our SPF record. This makes us look bad because it shows isc.org messages arriving at gmail in a non-compliant way, and it makes your mail servers look bad, because they're "spoofing" isc.org mail. Worse, if ISC moves our dmarc record to a p=reject policy, you just won't get that email anymore, so it's definitely not future-proof. Our dmarc reports only show us aggregates of the from/to/spf/dkim/dmarc status. We can't easily inspect individual messages. If this sounds like you, please do drop me a line privately at dmaho...@isc.org. I'd love to work with you to ensure I understand what's going on and also see if we can make things work better for everyone. Cheers, -Dan -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users