Hello Sir,
On 2023-12-25 22:16, jrmu wrote:
Greetings,
I'm attempting to send email to m...@openbsd.org, and getting a lot of
DMARC failure reports. SPF, DKIM, and DMARC work fine for me when I am
not using a mailing list. My SPF TXT record is
For interacting with mailing lists, I use a domain with p=quarantine.
Active users should already have figured out that lists like misc@ are
not configured to support DMARC, and p=none is too easy to spoof for the
worst offenders, so even just a simple MUA filter can move the messages
out of the spam directory.
Just my opinion here, but in 2023, lists not supporting DMARC are
intentionally so. As you can see here with OpenSMTPD, the DKIM check
using my domain's key will pass, AFAICT because the message is left
largely unaltered and DMARC requires SPF OR DKIM authentication to pass
using header.from.
Not supporting DMARC keeps out people on any of the various freemail
providers from meaningfully participating in a list. I see similar at
daemonforums.org, which uses a yahoo.com FROM: address to send messages,
so anyone with a server respecting p=reject (e.g., all freemail
providers) will never receive any of their messages, including forum
signups, which I believe to be an intentional technical filtering of
users.
"v=spf1 a mx ip4:198.251.82.194 -all"
and my DMARC record is
"v=DMARC1;p=none;pct=0;fo=1;rua=mailto:postmas...@ircnow.org;ruf=mailto:postmas...@ircnow.org";
However, I sent two emails in the last 10 days, and received 20 failed
DMARC reports. I am not sure if these two emails were received:
https://marc.info/?l=openbsd-misc&m=170354063924689&w=2
https://marc.info/?l=openbsd-misc&m=170274207904871&w=2
As of today, I adjusted the DMARC record from p=quarantine to p=none,
with hopes that fewer emails would get rejected.
For p=quarantine, the messages should be sent to spam directories as
opposed to p=reject, which most servers are configured to not send to
the user account and in my experience is silently discarded.
I'm not sure if 1) these failed DMARC reports are normal for mailing
lists, and 2) if there's anything else I can do to reduce the failure
rate.
Below is a sample fastmail DMARC report:
<?xml version="1.0"?>
<feedback>
<version>1.0</version>
<report_metadata>
<org_name>Fastmail Pty Ltd</org_name>
<email>repo...@fastmaildmarc.com</email>
<extra_contact_info>https://fastmail.com/</extra_contact_info>
<report_id>1054835552</report_id>
<date_range>
<begin>1703462400</begin>
<end>1703548799</end>
</date_range>
</report_metadata>
<policy_published>
<domain>ircnow.org</domain>
<p>none</p>
<sp>none</sp>
<pct>0</pct>
<fo>0</fo>
</policy_published>
<record>
<row>
<source_ip>199.185.178.25</source_ip>
<count>101</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>trusted_forwarder</type>
<comment>Policy ignored due to local white
list</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<envelope_from>openbsd.org</envelope_from>
<header_from>ircnow.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>openbsd.org</domain>
<selector>selector1</selector>
<result>pass</result>
<human_result>pass</human_result>
</dkim>
<spf>
<domain>openbsd.org</domain>
<scope>mfrom</scope>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>148.251.123.12</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>trusted_forwarder</type>
<comment>Policy ignored due to local white
list</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<envelope_from>openbsd.org</envelope_from>
<header_from>ircnow.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>openbsd.org</domain>
<selector>selector1</selector>
<result>pass</result>
<human_result>pass</human_result>
</dkim>
<spf>
<domain>openbsd.org</domain>
<scope>mfrom</scope>
<result>softfail</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>173.228.157.40</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<envelope_from>bounce2.pobox.com</envelope_from>
<header_from>ircnow.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>openbsd.org</domain>
<selector>selector1</selector>
<result>pass</result>
<human_result>pass</human_result>
</dkim>
<spf>
<domain>bounce2.pobox.com</domain>
<scope>mfrom</scope>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>216.40.44.19</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>mailing_list</type>
<comment>Policy ignored due to local mailing
list policy</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<envelope_from>bullock.net</envelope_from>
<header_from>ircnow.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>openbsd.org</domain>
<selector>selector1</selector>
<result>pass</result>
<human_result>pass</human_result>
</dkim>
<spf>
<domain>bullock.net</domain>
<scope>mfrom</scope>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>71.178.205.76</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>trusted_forwarder</type>
<comment>Policy ignored due to local white
list</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<envelope_from>openbsd.org</envelope_from>
<header_from>ircnow.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>openbsd.org</domain>
<selector>selector1</selector>
<result>pass</result>
<human_result>pass</human_result>
</dkim>
<spf>
<domain>openbsd.org</domain>
<scope>mfrom</scope>
<result>softfail</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>209.85.218.51</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<envelope_from>gmail.com</envelope_from>
<header_from>ircnow.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>openbsd.org</domain>
<selector>selector1</selector>
<result>fail</result>
<human_result>fail (body has been
altered)</human_result>
</dkim>
<spf>
<domain>gmail.com</domain>
<scope>mfrom</scope>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>46.105.48.137</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>mailing_list</type>
<comment>Policy ignored due to local mailing
list policy</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<envelope_from>openbsd.org</envelope_from>
<header_from>ircnow.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>openbsd.org</domain>
<selector>selector1</selector>
<result>pass</result>
<human_result>pass</human_result>
</dkim>
<spf>
<domain>openbsd.org</domain>
<scope>mfrom</scope>
<result>softfail</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>209.85.222.171</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<envelope_from>gmail.com</envelope_from>
<header_from>ircnow.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>openbsd.org</domain>
<selector>selector1</selector>
<result>fail</result>
<human_result>fail (body has been
altered)</human_result>
</dkim>
<spf>
<domain>gmail.com</domain>
<scope>mfrom</scope>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>195.140.195.198</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>mailing_list</type>
<comment>Policy ignored due to local mailing
list policy</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<envelope_from>openbsd.org</envelope_from>
<header_from>ircnow.org</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>openbsd.org</domain>
<selector>selector1</selector>
<result>pass</result>
<human_result>pass</human_result>
</dkim>
<spf>
<domain>openbsd.org</domain>
<scope>mfrom</scope>
<result>softfail</result>
</spf>
</auth_results>
</record>
</feedback>
Thank you,
Paul
