[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-list
Subject:    Re: DMARC and SPF and DKIM, oh, my!
From:       "T.C. Hollingsworth" <tchollingsworth () gmail ! com>
Date:       2023-05-10 7:08:39
Message-ID: CAJVv0Om1z5Bhvu4JDPeKearhPqbdGWNNMLg3rzjV8RaNom3RhA () mail ! gmail ! com
[Download RAW message or body]

On 5/9/23, Thomas Cameron via users <users@lists.fedoraproject.org> wrote:
> All -
>
> I've tested my DMARC, DKIM, and SPF records against multiple test sites,
> and it's set up correctly. I've sent email from my server to GMail, read
> the headers, and all tests pass.
>
> The problem is, as far as I can tell, EVERY server that sends mail to
> mailing lists causes me to get a barrage of warnings from receivers'
> email servers saying that, since the email came from the list server,
> the message failed because it's not from MY email server. It's maddening.
>
> What do folks who manage email servers do about this? I'm seriously
> starting to think that using these tools introduce darned near as many
> problems as they "solve." Talk me off the ledge?

I will do the opposite. :-D

DMARC says nobody should send mail from my domain but my email servers
I approve, reject the rest. Mailing lists are the antithesis of this.
The purpose of it was so the the Bank of Americas and PayPals of the
world can send a strong signal that no-one should be sending mail from
their domains but them, no ifs, ands, or buts. It was never intended
for ISPs and webmail services whose users often forward their mail to
other addresses or family and hobby domains who do that and more.

Set an explicit DMARC policy in DNS but configure it to off. You don't
need it. All the rejections it will cause may make your sending
reputation worse. And you will be in good company with the likes of
Gmail.com.

Do keep DKIM signing turned on. It will be beneficial for all the
mails you send directly. Without DMARC, filters can make informed
decisions about emails from dumb lists that mangle headers without
removing the DKIM signature and smart lists can just remove the header
before forwarding them. With DMARC recipient mail servers must reject
mails that are unsigned or fail verification and the only way lists
can work around it is to rewrite your entire From address as this list
has done for you today.

SPF you can also keep set to fail or softfail. Mailing lists rewrite
the Return-Path header in order to receive bounces so list mails
should always pass SPF.

You just don't need DMARC. It wasn't intended for *you*. ;-)
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[prev in list] [next in list] [prev in thread] [next in thread]