On 21/06/24 23:10, Matus UHLAR - fantomas via Postfix-users wrote:
Peter via Postfix-users skrev den 2024-06-21 08:45:
SPF/DKIM/DMARC Checklist for (IMO) the best chance of getting your
mail to be accepted:
1. HELO banner should pass SPF.
2. Envelope Sender should pass SPF.
3. Envelope Sender domain should align with the From: header domain.
4. Message should be DKIM signed.
5. Domain for the DKIM signature should align with the From: header
domain.
Not all of the able are necessary (e.g. you can get away with SPF
alignment only or DKIM alignment only) but the more of those boxes
that you can successfully tick off the better chance you have for you
message to be accepted when things go wrong, or when a destination
doesn't implement one of the above checks properly.
On 21.06.24 09:02, Benny Pedersen via Postfix-users wrote:
3 would not be posssible when recipient forwards to another mta,
>
Correct. The 3. does not apply. That should instead be
"only use SPF for DMARC if envelope from: is the same as header From:"
It is possible if the envelope sender is rewritten (e.g. with SRS).
That said forwarding is an edge case that this does not cover. To cover
all the edge cases would make this list needlessly complex.
basicly why maillist all breaks dkim,
Only if they change signed headers or body of the e-mail. Otherwise the
DKIM still validates, and thus does DMARC.
This applies for forwarding through mailing lists, automatic forwarding in
mailboxes and manual forwarding by mutt's "b"ounce or mozilla "mail
redirect" extension.
Right, although there are edge cases where DKIM won't be able to verify,
largely having to do with misconfiguration on the sender or recipient
side, or if the message simply isn't DKIM signed to begin with. IF that
happens then you must rely on SPF in order to pass DMARC.
some says spf breaks mailforwards, nothing could be more fails, since
nexthop gives new envelope sender, with will not align with header from:
Correct, note that this requires implementing SRS on forwarding machine.
SPF does break when you forward, which is why workarounds such as SRS
are needed to fix it.
The checklist I gave earlier is general guidance, and not meant to cover
the myriad of exceptions and edge-cases that can happen.
Peter
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
