On 04/09/2018 08:45 PM, Jesse Thompson wrote:> Kinda, yes.  Anyone
running a non-compliant list server should look to
> how other list servers are making themselves compliant.  Could be...
> 1) rewrite headers
> 2) not break DKIM
> 3) ARC?
> I don't want to be overly prescriptive (no one in academia likes to be
> told what to do) but rather to let people know that (a) change is coming
> and it isn't scary, and (b) here are some possible changes you can make
Slight topic change: We've seen email sent from email servers using
DMARC p=reject but with broken DKIM (basically relaying through sendgrid
but with some error in the DKIM DNS configuration, as far as I can
remember).

We handle an email forwarder that, usually, doesn't break DKIM, so DMARC
should be fine. Except when the source mail is DKIM-invalid and the only
thing that makes all the mail not to be rejected is SPF alignment, which
we cannot fix on our side.

What is there, as an email forwarder, that we could do to be compliant?
Currently our only guess is to rewrite headers when the email comes with
broken DKIM yet valid SPF, but even though it's OK for lists that's
unexpected from the user's point of view from forwarding services…

Or should we just reject these mails and tell the sender to do the
things properly? doesn't work well with the end users…

Sometimes I'm thinking DMARC should have enforced DKIM, and not allowed
to have only a match in {SPF, DKIM}, because it leads to issues like
broken-DKIM working-SPF domains not noticing things are wrong even
though they *are*…

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to