On 2017 Feb 12, 03:13, Sebastian Nielsen wrote: > Theres no relay between me and postfix. And this is the report: > > Feedback-Type: auth-failure > Version: 1 > User-Agent: OpenDMARC-Filter/1.3.2 > Auth-Failure: dmarc > Authentication-Results: mx01.nausch.org; dmarc=fail header.from=sebbe.eu > Original-Envelope-Id: 68ED4C00088 > Original-Mail-From: [email protected] > Source-IP: 168.100.1.3 (camomile.cloud9.net) > Reported-Domain: sebbe.eu > > ----- > And original mail: > ----- > Authentication-Results: mx1.nausch.org; > dkim=pass (1024-bit key) header.d=sebbe.eu [email protected] > header.b="AnBtXcH6" > Authentication-Results: mx01.nausch.org; spf=none > smtp.mailfrom=<[email protected]> smtp.helo=camomile.cloud9.net > Received: by camomile.cloud9.net (Postfix) > id 7474A336498; Sat, 11 Feb 2017 20:55:58 -0500 (EST) > Delivered-To: [email protected] (...snip...) > > > As you see, its not going through even if dkim = pass. > I think DKIM on postfix list server would solve that.
That's weird, if the DKIM mechanism passes, then DMARC should pass too, provided the email address in the Header-From is aligned with the DKIM signature which passed.. In your headers, we see that DKIM passes OK when you received you own post to the list. And then this is your DMARC record: $ host -t txt _dmarc.sebbe.eu _dmarc.sebbe.eu descriptive text "v=DMARC1\; p=reject\; sp=reject\; ri=604800\; rf=afrf\; aspf=s\; adkim=s\; rua=mailto:[email protected]\; ruf=mailto:[email protected]\; pct=100\; fo=1\;" See that non-default "fo=1" you have there? That's whay you are getting a DMARC result of fail: See RFC 7489, Section 6.3, page 18: "" fo: Failure reporting options (plain-text; OPTIONAL; default is "0") 0: Generate a DMARC failure report if all underlying authentication mechanisms fail to produce an aligned "pass" result. 1: Generate a DMARC failure report if any underlying authentication mechanism produced something other than an aligned "pass" result. "" Go with the DMARC default of "fo=0" and you should be fine. Also, you should NOT use p=reject in your DMARC record if you post to mailing lists, see RFC7960, Section 3.2.3.1: "" Mailing Lists may also have the following DMARC interoperability issues: Subscribed members may not receive email from members that post using domains that publish a DMARC "p=reject" policy. Mailing Lists may interpret DMARC-related email rejections as an inability to deliver email to the Recipients that are checking and enforcing DMARC policy. This processing may cause subscribers that are checking and enforcing DMARC policy to be inadvertently suspended or removed from the Mailing List. "" It all means: if you post to a mailing list with a DMARC policy of p=reject, you risk (A) not having your posts received by the other subscribers, and (B) accidentally causing OTHER subscribers to be unsubcribed from the list because they could start rejecting your posts at anytime based on your owun published DMARC policy, and the mailing software could wrongly assume the subscribed address of OTHER subscribers has become stale. So take action: 1. change "fo=1" to "fo=0". 2. remove "p=reject", or use a different subdomain/domain to post to mailing lists. Regards, -- Josh Good
