Hi all, The following is a guide which explains the problem, and how to correct it.
SPF is a mail protocol designed to ensure a given mail server is in fact permitted to send email for a domain. It protects the return path component of an email, and helps protect against back scatter attacks, and to a certain extent makes it more difficult to falsely send mail. Please see https://en.wikipedia.org/wiki/Sender_Policy_Framework for more information. DKIM is a mail protocol designed to authenticate that the purported sender of an email actually sent the email. It does this by signing (using a public/private key mechanism) the mail body and some headers of the email and including this signature in the headers of the email, in the DKIM-Signature header. Many mail providers already implement this standard and use it to make spam filtering decisions. Technical details on how it works can be found at https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail DMARC is a mail protocol designed to clarify policy enforcement and reporting around the pre-existing SPF and DKIM protocols. To date, while both of them defined what was valid and invalid, they did not state what actions should be taken if SPF or DKIM validation failed. DMARC allows domain administrators to provide this information to outside parties, and receive reports back regarding compliance - particularly in the case of failures, to aid in detecting phishing and configuration errors. Please see https://en.wikipedia.org/wiki/DMARC for more information. In regards to mailing lists, DKIM (and therefore DMARC as well) causes some problems, as rather common features - such as appending of footers and modifying subjects will break DKIM signatures. This in turn may lead to hosts which perform DKIM validation not accepting emails from the mailing list where the sender of the email signed it. Considering that Google & Yahoo among others have implemented this, a decent proportion of email landing on lists will likely be signed. To date this has not caused major issues, as DKIM was not being enforced. With the advent of DMARC however, providers are now beginning to enforce valid DKIM signatures. This requires mailing list administrators to take steps to ensure everyone is still able to subscribe and post to their mailing lists. A detailed overview of possible actions which can be taken is available at http://wiki.list.org/DEV/DMARC (for Mailman at least, the steps are broadly applicable to other software as well however). The easiest and least invasive way of correcting this problem is to stop modifying emails. This can be accomplished for Mailman lists by: a) Clearing the "subject_prefix" setting b) Clearing "msg_header" and "msg_footer" c) Disabling "scrub_nondigest" and "first_strip_reply_to" Depending on who posts to your list, you may also need to: a) Set "reply_goes_to_list" to "Poster" b) Set "include_sender_header" to "False". Note that the second set of changes should not be necessary in most cases. These changes will make your mailing list DMARC compliant, and will ensure that everyone is able to subscribe to, and respond to, postings on your list without inconveniencing the mail systems of anyone else on the list. Hope the above helps. Feel free to pass it on to any mailing list admin who needs it. Regards, Ben
