On 5/25/25 11:57 AM, John Levine via NANOG wrote:
It appears that Michael Thomas via NANOG <nanog@lists.nanog.org> said:
There is no requirement that a mailing list honor or even care about
DMARC. That's true of all of this: it's purely informational to the
receiver to use as they will (or not). Expecting mailing lists to do
anything in particular is a mistake.
So mailing list software today typically checks the originating domain's
DMARC configuration. If that has a policy other than "none" (which says
to deliver email even if it fails both SPF and DKIM), it will send the
email "From:" the list, and not the originator. The email then nicely
passes the mailing list's own SPF, of course. Additionally, the mail
server sending it out from the list software will normally DKIM sign the
outgoing email, so it ends up properly authenticating as coming from the
mailing list software.
It would be nice if this were more uniformly true, but alas I don't
think you can really count on it. Even IETF mailing lists don't resign
(somebody has claimed this is a bug, but it's been a bug for a very long
time, from what I can tell).
Really, it was a bug. A bunch of stuff broke when we moved to the new
mail server earlier this year, and it's fixed now. (I checked.) The
DMARC rewrite stuff that I added broke at the same time, haven't
checked whether it's back yet.
AFAIKT, it's still a bug. But the larger point is that bug or no, there
seems to be no urgency to fix it which doesn't bode well for other
mailing list software to be upgraded in the wild any time soon. The
incentives senders and mailing list operators is not very well aligned.
Mike
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/G53CPJ5OOPSLFF44O6UDQITZMLKH5JWR/
