Hello Marcel, Thank you for bringing this to the attention of the Debian team.
After reviewing the headers and DNS records, I was able to confirm the same behavior on my side. The messages distributed through lists.debian.org appear to be legitimate and are properly routed through the official Debian mailing list infrastructure, as confirmed by the List-Id, Received headers, and the message archive. However, it also appears that there are currently no publicly visible SPF and DMARC DNS records for debian.org / lists.debian.org, and some messages signed with the DKIM selector smtpauto.stravinsky may fail validation on certain receivers. For security advisories, the authenticity of the message can still be verified through: - the official Debian mailing list archive - the Debian security tracker / LTS advisory pages - the included PGP signature - the X-Debian-Message: Signature check passed for Debian member header So while the notification email itself is legitimate, final verification should ideally be done against the official Debian web archive and advisory pages. Kind regards, El jue, 16 abr 2026 a las 10:08, Pirate Praveen (<[email protected]>) escribió: > > > On 4/15/26 1:12 PM, Bastian Blank wrote: > > On Wed, Apr 15, 2026 at 08:10:16AM +0200, Marcel Menzel wrote: > >> It seems that lists.debian.org has some problems (at least on my side) > for > >> SPF and DKIM validation, which leads to failing DMARC causing mails > being > >> inserted into the Junk folder: > > > > Nothing fails. debian.org have neither SPF nor DMARC records. > > > > You can check that yourself with: > > > > | dig debian.org txt > > | dig _dmarc.debian.org txt > > > > Bastian > > > > We do publish a DKIM record, but our lists apparently broke it when > forwarding the original mail. Adding a prefix to the subject or > modifying a protected header would break dmarc. > > $ dig +short smtpauto.stravinsky._domainkey.debian.org txt > "v=DKIM1; k=rsa; s=email; h=sha256; p=" > "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwi8LqBb0lIBri5MJwFq8" > "lak6adGPCq/kpLTarDdSdlfOekhpAnwVf9cD37ii9u4bLfVkuIzg3eIm4HmHKoUC" > "vqc24CZkggi5+D8TyhS0TnlXAZNQgFGtE9X6ZZTban34a/iqVU1PNjxXPLIEW+e5" > "D3NJn1ah+3ILFDw7vXIXjZSierXl5onMY/lgN3DidLYBmw0+BNVKI4mnByczmhh6" > "5kF+DLsv8N0Jtb5YOcRle3SuuK6dp1N4dyosd0CHnjuytpZ81F97FBfMKpmHYJEc" > "eA+/1Rxykhl7x+khw2V5UKK7o30af7QJgMS+ZO/XJSl6Sw1yerxixvX9kAnjZppt" > "RwIDAQAB" >
