Quoting Daniel Abrecht (d...@danielabrecht.ch): > I'm sorry, I'm using DMARC, and I didn't get the DMARC report about the > bounced mails, probably because I forgot a DMARC DNS entry for the > report receiving mail address. I have changed my DMARC policy from > reject to quarantine for now.
It would be excellent if you could provide any DMARC reports you get to the Dng listadmins. Thank you. Your point is well taken that DMARC and mailing lists can coexist (I've always concurred with that). It's just difficult, and creates adverse consequences. (As background for this, it's useful to know that DMARC is a composite and extension of SPF and DKIM.) As part of the process, the domain's outgoing mail gets certain headers and body text cryptographically signed and attested to (the DKIM = DomainKeys Identified Mail part of the standard). For such mail to successfully transit a mailing list without breaking validation, the signed text and headers must be completely unchanged. This is a very difficult constraint for MLM software to meet, as occasionally something gets inserted or changed in a header or elsewhere during normal MLM processing, and in particular the To: header by design is supposed to be set upon posting retransmission to the address of each subscriber. To the best of my recollection (and I'm presently busy and cannot double-check all of this), some subset of the full SMTP headers are included in the DKIM attestation. I can't remember which, nor whether the DKIM-issuing operator can decide which. I vaguely recall that the extra headers MLMs intentionally add, the MLM footer, the MLM modification to the Subject header (like adding [DNG]), and more are all somewhat problematic for DKIM validation. There are a maddeningly large and diverse number of ways to deal with the problem, and one can spend a lot of time reading about it. E.g.: https://dmarc.org/supplemental/mailman-project-mlm-dmarc-reqs.html http://www.spamresource.com/2014/04/run-email-discussion-list-heres-how-to.html https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F Just a point: > I use DMARC and believe it to be necessary because it allows me to: > 1) Make sure nobody can use my E-Mail address to impersonate me or send > spam SPF alone _can_ do exactly that without also needing DKIM/DMARC. (So, sufficient is correct, but necessary is not quite correct.) > 2) I will be notified if anyone attempts to do so SPF alone can prevent it from being possible, hence you don't need to be notified. (This of course assumes that receiving domains check SPF for received mail. Not all do, but more do than check DMARC.) > 3) The recipient can check if the message content was changed gpg signing alone can do that. If your SMTP message content is being changed, though, you actually have a lot bigger problems. > 1) Provide an SPF record. This mailing list doesn't seam to have one The mailing list isn't an orignator. It's the originating domains that ought (to the extent they wish to do so) to have SPF records. > 2) Don't change anything from the message below the DKIM headers, add > the other headers before the DKIM signature instead. To the best of my recollection (I could be misremembering), this is easier said than done. Anyway, thank you for your substantive help to the Devuan Project. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng