On 4/27/14, 1:34 PM, Mark Sapiro wrote: > On 04/27/2014 10:16 AM, Lindsay Haisley wrote: >> My understanding is that DMARC alignment depends on both SPF and DKIM >> and that if a test using either protocol passes, then a DMARC will pass. >> This is probably an oversimplification, but I'm exploring the idea of >> whether it might be possible to interpose a milter using OpenDKIM >> (perhaps zdkimfilter) between Mailman and the outgoing SMTP server >> (courier-MTA) so that outgoing list posts are appropriately signed. > > This doesn't help. The whole idea behind DMARC is the message must pass > either SPF or DKIM with a domain that 'aligns' with the domain of the > address in the From: header. > > You can't DKIM sign for the yahoo.com or aol.com or whatever.com domain > because you don't know their private keys. You can only DKIM sign for > your own domain which won't 'align' with the From: domain. > One question I have had over how this works is why SPF is added to the mix. If the message passes SPF, then it has come directly from a server that is supposedly controlled by the sending provider. Said server should have been able to DKIM sign the message, so you should never see a message that passes SPF but fails DKIM.
Was that option just put in to allow an organization to just implement SPF (and ignore DKIM), but change SPF to require the alignment to From: ? -- Richard Damon ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
