On Wed, 30 May 2018 11:45:12 -0600 Grant Taylor wrote: > On 05/30/2018 09:34 AM, Grant Taylor wrote: > > Now to see what sort of DMARC notifications (if any) I get for this > > reply. > > I have received four DMARC auth-failure notifications (thus far) in > response to my message to the SpamAssassin Users mailing list. > > It looks like the reports are indicating that they consider the > message to have failed DMARC alignment tests because the From: header > had my domain name in a message did not originating from my servers. > > Independent SPF and DKIM tests did pass. The failure seems to be a > result of how DMARC amalgamates the two with published policies.
SPF passes on the rewritten envelope address, so it's not aligned and it's just a matter of whether there's an aligned dkim pass. It passes dmarc at gmail, so presumably the problem is with the service that sent the notices. The important thing is to not sign the list* headers in dkim.
