On Wed 03/Dec/2025 04:04:17 +0100 tale via bind-users wrote:
On Tue, Dec 2, 2025 at 5:26 AM Dan Mahoney <[email protected]> wrote:
Your DMARC TXT record is:
_dmarc.jcea.es. 7200 IN TXT "v=DMARC1; p=none; sp=none;
rua=mailto:[email protected]; ruf=mailto:[email protected]";
Your "strict" configuration tells users who are checking DMARC to do nothing in
the event of a DMARC fail (p=none), so if you are getting failures, those users are not
properly following the instructions that you have put in your DNS.
...
We also ARC seal the traffic going through our mailing lists, which is supposed
to deal with precisely this unique problem that the original DMARC/DKIM
implementors kind of ignored.
[...]
The situation was roughly the same as the above; p=none and a mailing
list that had isc.org subscribers. Since my DMARC policy was none,
the From was not being rewritten by the list software. So yeah, there
was an inconsistency in that the list server's IP wasn't covered by my
SPF -- correctly dubbed an authentication failure. However, messages
I sent to the list went through fine because of p=none, and even got
replies from ISC subscribers so it didn't seem like a failure.
Indeed, it's not a failure. Rewriting the From: header is an ugly hack that
should be avoided whenever possible.
Yet, something is strange in ISC's DKIM and ARC:
Having 3 ARC sets is pretty redundant. ARC's idea is to have one set per
transfer service.
Jesus's message only had the original d=jcea.es signature. Shouldn't ISC sign
anyway?
Dan's message had three ISC signatures, only the last one verifies.
Tale's message had two signatures, the original by Google and the following
abnormal thing:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=i; s=istslay;
t=1764731192; i=@i; bh=kGPsMv2dhM4HNZFQsedYJuvYfdPMg/XSEgqUbJ5rQRo=;
h=References:In-Reply-To:Date:Subject:To:Cc:List-Id:
List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
From:Reply-To;
b=qe7qv7C64S/6+jnJ1LeC37SFH0Uu2zeBuGt2oo1Sn0tNxJozMioEsiAwr08UYZWK+
VE7USpyVzK3aPTTVcqEqOIEcGigMYYKUmm0j3VePMWaUSwj0AWbsLJ7aSVPOn5rNm8
bLExyiLeyxF58HqzJpnuRNGKMkiR8P8PeK4BGAmNn4ytleMCHFQzrfC9UslTCw566O
4NjudcdPpzu/QVo42WOu3yDdk2jQdsU9cWcpo56CeuBPwtzAoU34ItDSEfm7aqkmc/
bRt9ptg3WYsEhNyHc27anjn+2flopfk5+PuxTOvyf9FH2GDvl7+e0jFsTz4LVajJ9c
mkNpnP4eKOrDA==
It looks like something ate the "sc.org" from the d= tag.
MOST IMPORTANTLY: this message is NOT by Tale. Since salesforce has
p=reject, this message should have been rejected by the MX!!
Best
Ale
--
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
