[pfx] Re: A strange DMARC failure
On 17.05.23 09:09, Tom Reed via Postfix-users wrote: I found that, after I enable opendmarc to reject messages, there are some issues for list addresses. for example, this rejected message shows: : host mx1.dkinbox.com[193.106.250.86] said: 550 5.7.1 rejected by DMARC policy for radlogic.com.au (in reply to end of DATA command) And I checked that, radlogic.com.au does have a p=reject policy: _dmarc.radlogic.com.au. 3600IN TXT "v=DMARC1; p=reject; fo=1; rua=mailto:ad...@radlogic.com.au; Following their policy, I have the permission to reject it. Since the message was sent to mailing list which rewrites envelope address and adds list signature, so: 1) SPF for header From: address won't get pass due to SRS. 2) DKIM won't get pass due to list signature. So the DMARC failed totally and the message was rejected. How to improve this? common ways to work around this problem: from mailing list site: - don't modify mail headers/body when resending e-mail, so you keep the original DKIM signature correct - rewrite From: to your domain and sign with your DKIM key so DKIM signature will be OK. from recipients side: - allow sending IP to send mail that fail DMARC -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A strange DMARC failure
> On Tue, May 16, 2023 at 10:15:35PM -0400, Bill Cole via Postfix-users > wrote: > >> On 2023-05-16 at 21:09:35 UTC-0400 (Wed, 17 May 2023 09:09:35 +0800) >> Tom Reed via Postfix-users >> is rumored to have said: >> [...] >> > Since the message was sent to mailing list which rewrites envelope >> > address >> > and adds list signature, so: >> > >> > 1) SPF for header From: address won't get pass due to SRS. >> > 2) DKIM won't get pass due to list signature. >> > >> > So the DMARC failed totally and the message was rejected. >> > >> > How to improve this? >> >> Do not reject mail solely based on DMARC failure. >> >> DMARC is fragile and unreliable. It has WELL-KNOWN incompatibilities >> with >> traditional mailing list practices. The fact that DMARC exists does not >> imply that it is entirely usable as deployed. >> >> -- >> Bill Cole >> b...@scconsult.com or billc...@apache.org >> (AKA @grumpybozo and many *@billmail.scconsult.com addresses) >> Not Currently Available For Hire > > Yes, it's best to let receiving MUAs deal with DMARC > failures, rather than mail servers (which should just > add Authentication headers). Then individual mail users > can decide how they personally want to deal with it. > Got it. Thanks for suggestions. -- sent from https://dkinbox.com/ ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A strange DMARC failure
On Tue, May 16, 2023 at 10:15:35PM -0400, Bill Cole via Postfix-users wrote: > On 2023-05-16 at 21:09:35 UTC-0400 (Wed, 17 May 2023 09:09:35 +0800) > Tom Reed via Postfix-users > is rumored to have said: > [...] > > Since the message was sent to mailing list which rewrites envelope > > address > > and adds list signature, so: > > > > 1) SPF for header From: address won't get pass due to SRS. > > 2) DKIM won't get pass due to list signature. > > > > So the DMARC failed totally and the message was rejected. > > > > How to improve this? > > Do not reject mail solely based on DMARC failure. > > DMARC is fragile and unreliable. It has WELL-KNOWN incompatibilities with > traditional mailing list practices. The fact that DMARC exists does not > imply that it is entirely usable as deployed. > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire Yes, it's best to let receiving MUAs deal with DMARC failures, rather than mail servers (which should just add Authentication headers). Then individual mail users can decide how they personally want to deal with it. cheers, raf ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A strange DMARC failure
On 2023-05-16 at 21:09:35 UTC-0400 (Wed, 17 May 2023 09:09:35 +0800) Tom Reed via Postfix-users is rumored to have said: [...] Since the message was sent to mailing list which rewrites envelope address and adds list signature, so: 1) SPF for header From: address won't get pass due to SRS. 2) DKIM won't get pass due to list signature. So the DMARC failed totally and the message was rejected. How to improve this? Do not reject mail solely based on DMARC failure. DMARC is fragile and unreliable. It has WELL-KNOWN incompatibilities with traditional mailing list practices. The fact that DMARC exists does not imply that it is entirely usable as deployed. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
[pfx] Re: A strange DMARC failure
It appears that Tom Reed via Postfix-users said: >Since the message was sent to mailing list which rewrites envelope address >and adds list signature, so: > >1) SPF for header From: address won't get pass due to SRS. >2) DKIM won't get pass due to list signature. > >So the DMARC failed totally and the message was rejected. Right. Approximately every mailing list in the world has this problem. >How to improve this? There is no good answer. If your system is fairly small, make a whitelist of mailing lists (probably by IP) and skip the DMARC checks. Some lists apply ARC headers which let you look back and see what the DMARC result was before the list changed it, but most lists don't, and at this point there is no ARC milter I would want to use. R's, John ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org