On Sun 21/Dec/2025 20:22:56 +0100 tale via bind-users wrote:
On Wed 03/Dec/2025 04:04:17 +0100 tale via bind-users wrote:
On Tue, Dec 2, 2025 at 5:26 AM Dan Mahoney <[email protected]> wrote:
Your DMARC TXT record is:
_dmarc.jcea.es. 7200 IN TXT "v=DMARC1; p=none; sp=none;
rua=mailto:[email protected]; ruf=mailto:[email protected]";
Your "strict" configuration tells users who are checking DMARC to do nothing
in the event of a DMARC fail (p=none), so if you are getting failures, those
users are not properly following the instructions that you have put in your
DNS.
...
We also ARC seal the traffic going through our mailing lists, which is
supposed to deal with precisely this unique problem that the original DMARC/
DKIM implementors kind of ignored.
[...]
The situation was roughly the same as the above; p=none and a mailing
list that had isc.org subscribers. Since my DMARC policy was none,
the From was not being rewritten by the list software. So yeah, there
was an inconsistency in that the list server's IP wasn't covered by my
SPF -- correctly dubbed an authentication failure. However, messages
I sent to the list went through fine because of p=none, and even got
replies from ISC subscribers so it didn't seem like a failure.
Indeed, it's not a failure. Rewriting the From: header is an ugly hack that
should be avoided whenever possible.
Yet, something is strange in ISC's DKIM and ARC:
Having 3 ARC sets is pretty redundant. ARC's idea is to have one set per
transfer service.
Jesus's message only had the original d=jcea.es signature. Shouldn't ISC sign
anyway?
Dan's message had three ISC signatures, only the last one verifies.
Tale's message had two signatures, the original by Google and the following
abnormal thing:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=i; s=istslay;
t=1764731192; i=@i; bh=kGPsMv2dhM4HNZFQsedYJuvYfdPMg/XSEgqUbJ5rQRo=;
h=References:In-Reply-To:Date:Subject:To:Cc:List-Id:
List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
From:Reply-To;
b=qe7qv7C64S/6+jnJ1LeC37SFH0Uu2zeBuGt2oo1Sn0tNxJozMioEsiAwr08UYZWK+
VE7USpyVzK3aPTTVcqEqOIEcGigMYYKUmm0j3VePMWaUSwj0AWbsLJ7aSVPOn5rNm8
bLExyiLeyxF58HqzJpnuRNGKMkiR8P8PeK4BGAmNn4ytleMCHFQzrfC9UslTCw566O
4NjudcdPpzu/QVo42WOu3yDdk2jQdsU9cWcpo56CeuBPwtzAoU34ItDSEfm7aqkmc/
bRt9ptg3WYsEhNyHc27anjn+2flopfk5+PuxTOvyf9FH2GDvl7+e0jFsTz4LVajJ9c
mkNpnP4eKOrDA==
It looks like something ate the "sc.org" from the d= tag.
And again, the message I'm replying to had:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=i; s=istslay;
t=1766344992; i=@i; bh=YFetgK5oZNah/qXdulHUQFZb3W8dFq54nCGNl8Q0uxQ=;
h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To;
b=Qv3oGo5lzbm8tufMiTuwiUhk+8HVR25ntThA6EES+IfZ+TZxLy3YwwJy3UhjdDtGZ
cO6H1lfwj8nFiqkCTN+ejRvtAKfwAq9kkgrPbqJHtNsEgVEC73qSKJGFuz08dQ3UHn
zZqrdYM6Rya3+5hJN6JZ/27LcMafCJFVk6loML4vlSyHjMGvgNRZuYszZRCHppTeSX
jX5KIYzUj5zSBe0U97AEO+heOtdVVfoAILQ0rlEL87XLFrmtNiQrxSzbwZW3ep48jO
cROIwsS691hB5oJk27AKk2Ea7JTHnLA8aUO7DS2hwsQxP4e6PINQnFLHh/fQddKTZ/
swE2eGbgjIHXQ==
MOST IMPORTANTLY: this message is NOT by Tale. Since salesforce has
p=reject, this message should have been rejected by the MX!!
Please, having all the bad of DMARC and none of the good is nonsensical.
Best
Ale
--
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
