On Tue, 25 Jan 2022 11:59:38 +0100 Philippe Mathieu-Daudé via <qemu-devel@nongnu.org> wrote:
> I'm seeing the same issue with these domains since mid december: > > ... > - rev.ng > > ... > https://lore.kernel.org/qemu-devel/20220105185720.0d4fc159@orange/ > ... I've tried to look into this and it looks like our set up should be OK. We enabled SPF (i.e., a rule stating that only our mailserver can send e-mail with our domain in "From:") and DKIM (i.e., our mailserver signs certain portions of the e-mail). We also enabled DMARC which coordinates the two. Now, as far as I understand, mailing lists can either rewrite the "From" header (as qemu-devel does) or leave it as it is. In the latter situation, SPF will fail but DMARC should instruct MTAs to check DKIM, and that should pass. https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F DKIM signature can be corrupted in case the mailing list tampers with the subject or the body of the e-mail, but this doesn't seem to be the case: I've tried to manually verify the DKIM signature of the same e-mail that I got both from the mailing list and directly from the sender (I was in Cc), and they both verify correctly. tl;dr I *think* rewriting the From header should not be necessary for our domain. If you guys think this is not the case and there's something we can do to improve the situation (other than adding gmail.com to our SPF record), let me know. -- Alessandro Di Federico rev.ng Labs
