On 2016-08-26, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > The only downside is, the traditional forwarding that mailing lists do > *also* triggers the DMARC dark magic, and there is a significant risk > that messages sent with senders in DMARC domains via the mailing list > to recipients with a somewhat DMARC-aware setup will be discarded.
I still have question on this subject that is not 100% clear to me. For what I understand, when you use SPF and DKIM, what DMARC is based on if you forget the ASPF part, and you have multiple mail servers in the path that may all have their own DKIM signature for example, only the most recent one for the last mail server to deliver to the final destination is checked? So, DMARC will based is judgement on the last header part with DKIM and SPF is present or not? I think so, but not 100% sure. So, the problem comes form the fact that DMARC only look at the From: field here being From: "Peter N. M. Hansteen" <pe...@bsdly.net> and then check DKIM and SPF in DNS for that domain and doesn't see the last entry as valid being here: Received: from openbsd.org (lists.openbsd.org [192.43.244.163]) Am I missing something so far? > However, the solution or workaround is to set up the mailing list for > the DMARC magic to do some benign rewriting of headers - the message > at [2] describes how the FreeBSD list admins solved the problem for > their lists. So, may be the way to go around it without modifying the header as I don;t thin it should or that would be a good idea may just be for you to add to your SPF records the entry for the mailing list used as this: host-2:~ daniel$ dig txt bsdly.net +short "v=spf1 a mx ip4:213.187.179.198 ip4:194.54.103.54/26 ip6:2001:16d8:ff00:1a9::2 ip6:2001:16d8:ccbc:dead:beef::1 -all" To this may be: "v=spf1 a mx a:lists.openbsd.org ip4:213.187.179.198 ip4:194.54.103.54/26 ip6:2001:16d8:ff00:1a9::2 ip6:2001:16d8:ccbc:dead:beef::1 -all" This way you still control it, however it does open a different problem that I think you want to use DMARC for is that now anyone that present itself as someone @bsdly.net using the lists.openbsd.org will be also accepted as the DKIM is not verify as not in the most recent header of the email. I think it is like some company that use outlook.com to preserve their identity and setup SPF, but then if oyu look at the SPF you add, it's so darn big that anyone that want to hard your business only need an outlook account and can assume your identity too the same way with valid SPF you the company would have put it in place for the bad guy. Am I missing something? Or is the DKIM actually check ALL entry in the header to fidn one that match the From: field in this case From: "Peter N. M. Hansteen" <pe...@bsdly.net> check the DKIM to be this one: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=bsdly.net; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date:Message-ID: Subject:From:To:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=xV4BhTR1l3nZo2a7lVgLRZp28B12IgQRQJUApJOXkB8=; b=W hIDoIFBynQIDHHE06LTL0u+KHT47etyEzIk9lZexMkoTD4rSeXNVubLhLwwy6nxOXXMCdPYV/bPnS BD4he3d5/h4CDpEqZ/8Ojx4W5G7zf1u6VfHcTyehkcAv6jnOXJzjQtCYzeCEua+//hufU6nVdZaGf VXE75oJcED8xwwrQ=; then the SPF to be this one: dig txt bsdly.net +short "v=spf1 a mx ip4:213.187.179.198 ip4:194.54.103.54/26 ip6:2001:16d8:ff00:1a9::2 ip6:2001:16d8:ccbc:dead:beef::1 -all" And then reject or accept based on that? If so, and that's the part I am not sure about and it is not clear anywhere, but if so, then you only need to add to your SPF the lists you use and you would achieve your goal no? I would appreciate feedback on this as I am not 100% clear on how I think the process actually is done for checked of the email header and DKIM, specially if you happened to have multiple servers adding heir own... If so, shouldn't this solved your problem of delivery by mailing lists? In the end the burden is on you to maintain your SPF records based on the mailing lists you use and I will admit if you used a lots, then it may be a pain, but isn't it the goal to keep control of your emails? Hope this help some if I understand it correctly. Daniel
