On Tue, Dec 2, 2025 at 5:26 AM Dan Mahoney <[email protected]> wrote: > Your DMARC TXT record is: > _dmarc.jcea.es. 7200 IN TXT "v=DMARC1; p=none; sp=none; > rua=mailto:[email protected]; ruf=mailto:[email protected]"; > > Your "strict" configuration tells users who are checking DMARC to do nothing > in the event of a DMARC fail (p=none), so if you are getting failures, those > users are not properly following the instructions that you have put in your > DNS. ... > We also ARC seal the traffic going through our mailing lists, which is > supposed to deal with precisely this unique problem that the original > DMARC/DKIM implementors kind of ignored.
FWIW, while I very much appreciate your points, I'll observe that I also had what was an outwardly confusing experience with the ISC mail configuration reporting "failures" to me without being clear what the failure supposedly was, for mail that apparently succeeded in delivery. Right up front I'll acknowledge that it was all reasonable behavior, but the experience could be better. The situation was roughly the same as the above; p=none and a mailing list that had isc.org subscribers. Since my DMARC policy was none, the From was not being rewritten by the list software. So yeah, there was an inconsistency in that the list server's IP wasn't covered by my SPF -- correctly dubbed an authentication failure. However, messages I sent to the list went through fine because of p=none, and even got replies from ISC subscribers so it didn't seem like a failure. ISC stood out as pretty much the only receiver that was sending reports about it from a list that had many, many domains represented. Plus the report of what was actually the problem was in a message/feedback-report section that my MUA did not readily display, so I was a little confused about being told things had failed. That section does make it a little more clear by calling out the reverse DNS name of the sending server, something not included in the freeform text. It'd be useful if the text/plain part was more prosaically descriptive about why you were sending the report, including maybe a note that some mailing list software will not do ARC when DMARC policy is not quarantine/reject. -- tale -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list.
