> On Dec 1, 2025, at 3:24 PM, Jesus Cea <[email protected]> wrote: > > My domain "jcea.es" has a strict DMARC configuration and this mailing list is > not mangling email headers enough to satisfy any email server actually > verifying SPF/DKIM.
Your DMARC TXT record is: _dmarc.jcea.es. 7200 IN TXT "v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]"; Your "strict" configuration tells users who are checking DMARC to do nothing in the event of a DMARC fail (p=none), so if you are getting failures, those users are not properly following the instructions that you have put in your DNS. Now, it's possible that they are rejecting solely on your SPF record (which sets -all) but if you're getting DMARC bounce messages, then it doesn't make sense to do this because the DMARC spec says both must be checked. Note that for sites like o365 and gmail, they are black boxes and will do whatever the heck they want and not document it, and make random changes at will. As for what we are doing. Our mailman software will rewrite the sender address for users posting from domains which have p=quarantine or p=reject -- that is to say, we compensate for the actual conditions where mail flow *should* be affected. We also ARC seal the traffic going through our mailing lists, which is supposed to deal with precisely this unique problem that the original DMARC/DKIM implementors kind of ignored. -Dan Mahoney ISC Operations -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
