Re: [mailop] Best practice for mailing list servers
On Mon, Jun 20, 2022 at 11:47 AM Grant Taylor via mailop wrote: > On 6/15/22 6:19 PM, Ángel via mailop wrote: > > There is a fallback of connecting to the A record on port 25 if there > > is no MX. > > When was the last time that anyone has seen the fall back to A record work? > > Just did a quick check on one of our mail servers and within the last hour we've sent email via an A record. Mark ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
It appears that Grant Taylor via mailop said: >-=-=-=-=-=- >-=-=-=-=-=- > >On 6/15/22 6:19 PM, Ángel via mailop wrote: >> There is a fallback of connecting to the A record on port 25 if there >> is no MX. > >When was the last time that anyone has seen the fall back to A record work? Today. It works in Postfix and Exim, probably in every other widely used MTA. I'm not saying it's a wonderful idea, but any MTA that doesn't do an A/ lookup if the MX fails is pretty broken. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
On 6/15/22 6:19 PM, Ángel via mailop wrote: There is a fallback of connecting to the A record on port 25 if there is no MX. When was the last time that anyone has seen the fall back to A record work? I've not seen it work in many years. Recent attempts to use it have also failed with the MSA rejecting the destination because of lack of MX. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
On 2022-06-15 at 23:53 +0200, Axel Rau wrote: > > > > Am 15.06.2022 um 20:42 schrieb Ken O'Driscoll: > > > > This is incorrect. The return-path is the address used by receiving > > the MTA to send bounce messages to when the recipient's 5322.From > > is unreachable for whatever reason. > > Yes. But the point was "do I need a MX to receive these bounce > messages?“ > My listservers return-path address is reachable all the time w/o MX > and occasionally gets one. > > Axel There is a fallback of connecting to the A record on port 25 if there is no MX. However, I would recommend to include a proper MX record and not rely on the "implicit MX rule" unless you have no other option. An email address whose domain doesn't have a MX record is suspicious at least. And obviously, add a SPF record to that domain as well. Regards ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
On Wed, Jun 15, 2022 at 4:22 PM John Levine via mailop wrote: > > It appears that Ken O'Driscoll via mailop said: > >Hi Slavo, > > > >p=none is not always harmless. Some message filters treat p=none differently > >to not having DMARC. I've observed this as well. > Really? I'm not sure how much I care about recipient systems that are that > broken. That's a choice, for sure. Like rewriting headers to ".invalid" as a protest about DMARC and mailing lists. Your server, your rules, of course. My choice would be more about trying to keep the mail flowing. Al Iverson / Deliverability blogging at www.spamresource.com Subscribe to the weekly newsletter at wombatmail.com/sr.cgi DNS Tools at xnnd.com / (312) 725-0130 / Chicago (Central Time) ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
On 6/15/22 3:53 PM, Axel Rau via mailop wrote: My listservers return-path address is reachable all the time w/o MX and occasionally gets one. I'm curious how such DSNs come into your MLM. It sounds like you're relying on hostname A / fall back, something that I've found to be unreliable at best. I'm trying to determine if I've had bad luck, or if such DSNs are using a different mechanism to find the your MLM's MTA. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
> Am 15.06.2022 um 20:42 schrieb Ken O'Driscoll via mailop : > > This is incorrect. The return-path is the address used by receiving the MTA > to send bounce messages to when the recipient's 5322.From is unreachable for > whatever reason. Yes. But the point was "do I need a MX to receive these bounce messages?“ My listservers return-path address is reachable all the time w/o MX and occasionally gets one. Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
It appears that Ken O'Driscoll via mailop said: >Hi Slavo, > >p=none is not always harmless. Some message filters treat p=none differently >to not having DMARC. Really? I'm not sure how much I care about recipient systems that are that broken. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
This is incorrect. The return-path is the address used by receiving the MTA to send bounce messages to when the recipient's 5322.From is unreachable for whatever reason. So if your MLM sends a message to a non-existent address or there are some other delivery errors post-acceptance, then a bounce message will likely be sent to your 5321.from address, not the 5322.From. Many mailbox providers do not reject during the SMTP conversation, but accept the message and generate a bounce later in their MTA chain. So it is important to monitor your 5321.from at all times. This is true of all internet mail, not just MLM traffic. Ken. From: Axel Rau Sent: Wednesday, 15 June 2022, 19:18 To: Ken O'Driscoll Cc: mailop@mailop.org Subject: Re: [mailop] Best practice for mailing list servers Am 15.06.2022 um 19:43 schrieb Ken O'Driscoll mailto:k...@wemonitoremail.com>>: If your return-path is a CNAME, then you'll have problems with bounce processing too. Many MTAs will consider the return-path invalid when they can't find an MX RR; as will many message filters. Their behaviour is wrong. As we all know, MX is only needed if I send mail to a domain. The MLM is a host and needs no MX. Return-path domains really need an MX record for mail to work properly. Why? Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
> Am 15.06.2022 um 19:43 schrieb Ken O'Driscoll : > > If your return-path is a CNAME, then you'll have problems with bounce > processing too. Many MTAs will consider the return-path invalid when they > can't find an MX RR; as will many message filters. Their behaviour is wrong. As we all know, MX is only needed if I send mail to a domain. The MLM is a host and needs no MX. > > Return-path domains really need an MX record for mail to work properly. Why? Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
If your return-path is a CNAME, then you'll have problems with bounce processing too. Many MTAs will consider the return-path invalid when they can't find an MX RR; as will many message filters. Return-path domains really need an MX record for mail to work properly. Ken. From: Axel Rau Sent: Wednesday, 15 June 2022, 16:36 To: Ken O'Driscoll Cc: mailop@mailop.org Subject: Re: [mailop] Best practice for mailing list servers Am 14.06.2022 um 18:51 schrieb Ken O'Driscoll via mailop mailto:mailop@mailop.org>>: * Make sure that the list's 5321.From (return-path/envelope/MAILFROM) domain has a valid and restrictive SPF Domainpart of my return-path is a generic CNAME of a pair of MLMs SPF requires a TXT RR which can’t coexist with a CNAME. Too bad. --- PGP-Key: CDE74120 ☀ computing @ chaos claudius ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
> Am 14.06.2022 um 18:51 schrieb Ken O'Driscoll via mailop : > > * Make sure that the list's 5321.From (return-path/envelope/MAILFROM) domain > has a valid and restrictive SPF Domainpart of my return-path is a generic CNAME of a pair of MLMs SPF requires a TXT RR which can’t coexist with a CNAME. Too bad. --- PGP-Key: CDE74120 ☀ computing @ chaos claudius ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
Hi Taavi, It really depends on what you are trying to achieve. Depending on canalisation and what headers are being signed, there is no guarantee that a sender's DKIM won't be broken by the MLM. SPF alignment is already going to be broken. Also, not every DMARC user, for their own convoluted reasons, DKIM signs their messages. So, there is no guarantee that DMARC (with an enforcing policy) will survive an MLM. Rewriting the 5322.From is the safest option. By always double signing, the MLM builds its own sending reputation. Many message filters already can distinguish mailing list traffic, signing with the list's keypair helps that. A list needs to have its own sending reputation. Depending on the message volume of the list, this may even allow a member with poor sending reputation to have their list posts reach the inbox. Most MLM operators want to give the messages the best possible chance of being delivered to inboxes. Double DKIM signing and rewriting the 5322.From of DMARC enforced messages achieve this goal. The other option is to rewrite every 5322.From address, optionally strip the sender's DKIM, and sign with a MLM keypair. I don't advocate this approach, but it achieves similar at a UX cost for some/many list users. Assuming that senders with DMARC enforcing policies know what they are doing, or even have control over their domain/MTA etc., is a high risk and high maintenance gamble for MLM operators. Unless you are a large mailbox provider, or have an academic interest in it, I wouldn't recommend low-volume senders spend time with ARC until it's fully baked. Ken. > -Original Message- > From: mailop On Behalf Of Taavi Eomäe via > mailop > Sent: Wednesday 15 June 2022 10:04 > To: mailop@mailop.org > Subject: Re: [mailop] Best practice for mailing list servers > > Hi, > > just wondering, wouldn't it be significantly better to only modify > headers and double-sign when the original message's DKIM signature > doesn't pass? Absolutely correct me if I'm mistaken, but this would keep > DMARC (if it also exists) valid and detach the mailing lists' reputation > from the message, probably making deliverability better. If the senders > have a proper setup. > > ARC on top of that would be a nice clear indication that it has been > forwarded in some way and DKIM would say it's not lying. The rest of the > letters' senders can be rewritten. > > > Or are SPF (hard)fails too strong of a negative signal in most cases > that these DKIM-signed messages wouldn't be accepted? > > > > > Taavi > > On 14/06/2022 19:51, Ken O'Driscoll via mailop wrote: > > Hi Axel, > > > > I would suggest: > > > > * Make sure that the list's 5321.From (return-path/envelope/MAILFROM) > domain has a valid and restrictive SPF > > * DKIM sign all list messages with your own key > > * Use different DKIM keypairs for each list > > * Don’t modify the originally message body (e.g., adding in a list > footer etc.) > > * If the sender's domain has DMARC with an enforcing policy > (p=quarantine/reject) then rewrite the 5322.From to use the list's > domain > > > > Not modifying the body of the message will give any original DKIM > message signature the best chance of preserving validity. > > > > Signing with your own DKIM key will create an additional reputation > data point for message filters, which will help over time. > > > > DMARC won't survive a MLM, so you have to rewrite the From to give the > message a chance of being received. Your own DKIM signature will still > be valid. > > > > Implementing ARC wouldn't hurt, but don't expect it to magically fix > anything. Your ARC set still needs to be trusted by message filters > which implement ARC and there is no centralised mechanism to facilitate > this yet. Larger providers may use ML to trust particular ARC header > sets but who knows. > > > > I wouldn't suggest that you implement DMARC on your list domain as it > won't help with deliverability and will just cause more issues. It's not > really designed for mailing lists. > > > > Ken. > > > >> -Original Message- > >> From: mailop On Behalf Of Axel Rau via > >> mailop > >> Sent: Tuesday 14 June 2022 16:51 > >> To: Paul Vixie via mailop > >> Subject: [mailop] Best practice for mailing list servers > >> > >> Hi all, > >> > >> I’m running a mailman3 site with several small mailing lists. > >> > >> Today Google let all mails without DKIM sig bounce. > >> Other ESPs refuse my mails because of brokem DKIM sig. > >> > >> Currently the listserver does not DKIM-sign nor remove DKIM-sigs. > >> > &
Re: [mailop] Best practice for mailing list servers
Hi, just wondering, wouldn't it be significantly better to only modify headers and double-sign when the original message's DKIM signature doesn't pass? Absolutely correct me if I'm mistaken, but this would keep DMARC (if it also exists) valid and detach the mailing lists' reputation from the message, probably making deliverability better. If the senders have a proper setup. ARC on top of that would be a nice clear indication that it has been forwarded in some way and DKIM would say it's not lying. The rest of the letters' senders can be rewritten. Or are SPF (hard)fails too strong of a negative signal in most cases that these DKIM-signed messages wouldn't be accepted? Taavi On 14/06/2022 19:51, Ken O'Driscoll via mailop wrote: Hi Axel, I would suggest: * Make sure that the list's 5321.From (return-path/envelope/MAILFROM) domain has a valid and restrictive SPF * DKIM sign all list messages with your own key * Use different DKIM keypairs for each list * Don’t modify the originally message body (e.g., adding in a list footer etc.) * If the sender's domain has DMARC with an enforcing policy (p=quarantine/reject) then rewrite the 5322.From to use the list's domain Not modifying the body of the message will give any original DKIM message signature the best chance of preserving validity. Signing with your own DKIM key will create an additional reputation data point for message filters, which will help over time. DMARC won't survive a MLM, so you have to rewrite the From to give the message a chance of being received. Your own DKIM signature will still be valid. Implementing ARC wouldn't hurt, but don't expect it to magically fix anything. Your ARC set still needs to be trusted by message filters which implement ARC and there is no centralised mechanism to facilitate this yet. Larger providers may use ML to trust particular ARC header sets but who knows. I wouldn't suggest that you implement DMARC on your list domain as it won't help with deliverability and will just cause more issues. It's not really designed for mailing lists. Ken. -Original Message- From: mailop On Behalf Of Axel Rau via mailop Sent: Tuesday 14 June 2022 16:51 To: Paul Vixie via mailop Subject: [mailop] Best practice for mailing list servers Hi all, I’m running a mailman3 site with several small mailing lists. Today Google let all mails without DKIM sig bounce. Other ESPs refuse my mails because of brokem DKIM sig. Currently the listserver does not DKIM-sign nor remove DKIM-sigs. It seems, that mails with DKIM-sig (from the author domain, but broken bei the list server) are accepted by Google. Should I adopt ARC? Along with DMARC? What is best practice in 2022? Any help appreciated, Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
On Tue, 2022-06-14 at 19:07 +0200, Slavko via mailop wrote: > Ahoj, > > Dňa Tue, 14 Jun 2022 16:51:55 + Ken O'Driscoll via mailop > napísal: > > > I wouldn't suggest that you implement DMARC on your list domain > > as it > > won't help with deliverability and will just cause more issues. > > It's > > not really designed for mailing lists. > > Please, what issues will cause DMARC with policy None? Would not be > better to suggest this instead of no DMARC? You need to replace the From: address with your own address if you're going to use any DMARC (or if the original sender uses DMARC). ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
Hi Ken, thanks for your advice. > Am 14.06.2022 um 18:51 schrieb Ken O'Driscoll : > * DKIM sign all list messages with your own key Which headers should I sign? > * Use different DKIM keypairs for each list > * Don’t modify the originally message body (e.g., adding in a list footer > etc.) Done. > * If the sender's domain has DMARC with an enforcing policy > (p=quarantine/reject) then rewrite the 5322.From to use the list's domain I have to find out how to do this in exim. Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
Hi Matthew, The point of using different keypairs for different lists is that some message filters use the DKIM signing domain as a data point when calculating sender reputation. Ideally, you want to have the signing domain match the From domain. If the lists use different From domains, then I'd recommend different keypairs for that reason. If it's all using the same domain then the same keypair across all lists is probably fine. If you really want to get into the weeds, different keypairs can help you isolatate and limit the reputational risk from DKIM replay attacks regardless of the same sending domain. But, message volume also matters for building reputation and, there's no point in using separate keys for double digit per-list daily volumes. Combining under one key and one domain may also be a winning strategy in that case. Ken. From: mailop on behalf of Matthew Richardson via mailop Sent: Tuesday, 14 June 2022, 19:30 To: mailop@mailop.org Subject: Re: [mailop] Best practice for mailing list servers Ken O'Driscoll wrote:- >* Use different DKIM keypairs for each list Out of interest, why? Are there any known issues with using the same keypair across multiple lists, or indeed across multiple sending domains? -- Best wishes, Matthew ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
Ahoj, Dňa Tue, 14 Jun 2022 18:00:49 + Ken O'Driscoll via mailop napísal: > p=none is not always harmless. Some message filters treat p=none > differently to not having DMARC. For example, Alice periodically > treats p=none as equivalent to p=reject. Or there is an ISP who junks > mail from domains with an RUA pointing to a freemail account, > regardless of the policy. They are perhaps, rare, and extreme cases > but there are more than a few providers that don't implement DMARC > correctly and don't send reports either - messages just don't reach > the inbox. Thanks, but if someone have (own) restricted rules, this cannot be reason to go that into "best practices" at all, as this is way to "legitimize" them, which is IMO wrong way. regards -- Slavko https://www.slavino.sk pgp9W1y9zUnqq.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
Ken O'Driscoll wrote:- >* Use different DKIM keypairs for each list Out of interest, why? Are there any known issues with using the same keypair across multiple lists, or indeed across multiple sending domains? -- Best wishes, Matthew ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
Hi Slavo, p=none is not always harmless. Some message filters treat p=none differently to not having DMARC. For example, Alice periodically treats p=none as equivalent to p=reject. Or there is an ISP who junks mail from domains with an RUA pointing to a freemail account, regardless of the policy. They are perhaps, rare, and extreme cases but there are more than a few providers that don't implement DMARC correctly and don't send reports either - messages just don't reach the inbox. So, in this case, where I know absolutely zero about the poster's MLM audience etc., I recommend no DMARC record at all. It gives the best possible chance of the mailing list messages achieving inbox placement. Plus, most list operators don't have the time to be lecturing/mediating/pleading with ISPs who are blocking messages because don't understand DMARC. Of course, maybe the lists in question have a risk profile that would justify DMARC. If so, then it should be deployed fully, not just left lingering at p=none. I do have a client where we implemented DMARC with p=reject on their lists. But they are not public lists, and the recipients belong to a very limited number of known domains. Ken. > -Original Message- > From: mailop On Behalf Of Slavko via mailop > Sent: Tuesday 14 June 2022 18:08 > To: mailop@mailop.org > Subject: Re: [mailop] Best practice for mailing list servers > > Ahoj, > > Dňa Tue, 14 Jun 2022 16:51:55 + Ken O'Driscoll via mailop > napísal: > > > I wouldn't suggest that you implement DMARC on your list domain as it > > won't help with deliverability and will just cause more issues. It's > > not really designed for mailing lists. > > Please, what issues will cause DMARC with policy None? Would not be > better to suggest this instead of no DMARC? > > regards > > -- > Slavko > https://www.slavino.sk ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
Ahoj, Dňa Tue, 14 Jun 2022 16:51:55 + Ken O'Driscoll via mailop napísal: > I wouldn't suggest that you implement DMARC on your list domain as it > won't help with deliverability and will just cause more issues. It's > not really designed for mailing lists. Please, what issues will cause DMARC with policy None? Would not be better to suggest this instead of no DMARC? regards -- Slavko https://www.slavino.sk pgp8oXeDkM_iz.pgp Description: Digitálny podpis OpenPGP ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Best practice for mailing list servers
Hi Axel, I would suggest: * Make sure that the list's 5321.From (return-path/envelope/MAILFROM) domain has a valid and restrictive SPF * DKIM sign all list messages with your own key * Use different DKIM keypairs for each list * Don’t modify the originally message body (e.g., adding in a list footer etc.) * If the sender's domain has DMARC with an enforcing policy (p=quarantine/reject) then rewrite the 5322.From to use the list's domain Not modifying the body of the message will give any original DKIM message signature the best chance of preserving validity. Signing with your own DKIM key will create an additional reputation data point for message filters, which will help over time. DMARC won't survive a MLM, so you have to rewrite the From to give the message a chance of being received. Your own DKIM signature will still be valid. Implementing ARC wouldn't hurt, but don't expect it to magically fix anything. Your ARC set still needs to be trusted by message filters which implement ARC and there is no centralised mechanism to facilitate this yet. Larger providers may use ML to trust particular ARC header sets but who knows. I wouldn't suggest that you implement DMARC on your list domain as it won't help with deliverability and will just cause more issues. It's not really designed for mailing lists. Ken. > -Original Message- > From: mailop On Behalf Of Axel Rau via > mailop > Sent: Tuesday 14 June 2022 16:51 > To: Paul Vixie via mailop > Subject: [mailop] Best practice for mailing list servers > > Hi all, > > I’m running a mailman3 site with several small mailing lists. > > Today Google let all mails without DKIM sig bounce. > Other ESPs refuse my mails because of brokem DKIM sig. > > Currently the listserver does not DKIM-sign nor remove DKIM-sigs. > > It seems, that mails with DKIM-sig (from the author domain, but broken > bei the list server) are accepted by Google. > > Should I adopt ARC? > Along with DMARC? > > What is best practice in 2022? > > > Any help appreciated, > Axel > --- > PGP-Key: CDE74120 ☀ computing @ chaos claudius > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Best practice for mailing list servers
Hi all, I’m running a mailman3 site with several small mailing lists. Today Google let all mails without DKIM sig bounce. Other ESPs refuse my mails because of brokem DKIM sig. Currently the listserver does not DKIM-sign nor remove DKIM-sigs. It seems, that mails with DKIM-sig (from the author domain, but broken bei the list server) are accepted by Google. Should I adopt ARC? Along with DMARC? What is best practice in 2022? Any help appreciated, Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
