[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Validation DMARC
From:       Dominic Raferd <dominic () timedicer ! co ! uk>
Date:       2019-11-25 15:46:56
Message-ID: CAF9Mo3K04UT-8eZ0NqeNgwHZSqAYCHKiuG0fjt9BZjEXLu3HYQ () mail ! gmail ! com
[Download RAW message or body]

On Sun, 24 Nov 2019 at 23:34, Richard Damon <Richard@damon-family.org>
wrote:

> On 11/24/19 6:21 PM, Wesley Peng wrote:
> > Why it doesn't break From: header SPF? Just curious
> >
> > On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote:
> >> > Or in short: DMARC intentionally breaks every mailinglist and every
> >> > mail-forwarding.  So, if a mail-provider uses a strict DMARC-policy,
> >> > it effectively says: "Our mail-addresses may not be used for
> >> > mailinglists."
> >>
> >> this message (i am replying to) from you on this mailing list is not
> >> broken
> >>
> It DOES break DMARC/SPF, as the IP address the message comes from
> doesn't match the From of the message, but with DMARC if EITHER SPF or
> DKIM pass, the message is to be considered to pass.
>
> A Domain with strict DMARC, and which doesn't DKIM sign messages, will
> fail with any form of remailer, so would fail for this application.
>

Anyone using DMARC with p=reject and without using DKIM signing is asking
for trouble - this should never be done intentionally. I have seen it
happen by mistake (usually by public bodies e.g. police, HMRC...).

Assuming the message is DKIM-signed (and the signing is only on the
critical headers, as it normally is) then DMARC won't cause problems on
this mailing list. For other mailing lists YMMV.

We have used DMARC with p=reject on domains for personal and business use
for several years and have never had any rejections or 'false positives' as
a result. I don't use such domains for posting to mailing lists, and no one
else using our domains has ever tried to.

[Attachment #3 (text/html)]

<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small"><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, 24 Nov 2019 at 23:34, Richard Damon &lt;<a \
href="mailto:Richard@damon-family.org">Richard@damon-family.org</a>&gt; wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">On 11/24/19 6:21 PM, Wesley Peng wrote:<br> &gt; Why it doesn't break \
From: header SPF? Just curious  <br> &gt;<br>
&gt; On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote:<br>
&gt;&gt; &gt; Or in short: DMARC intentionally breaks every mailinglist and every<br>
&gt;&gt; &gt; mail-forwarding.   So, if a mail-provider uses a strict DMARC-policy,<br>
&gt;&gt; &gt; it effectively says: &quot;Our mail-addresses may not be used for<br>
&gt;&gt; &gt; mailinglists.&quot;<br>
&gt;&gt;<br>
&gt;&gt; this message (i am replying to) from you on this mailing list is not<br>
&gt;&gt; broken<br>
&gt;&gt;<br>
<span class="gmail_default" style="font-size:small"></span>It DOES break DMARC/SPF, as the IP address the \
message comes from<br> doesn&#39;t match the From of the message, but with DMARC if EITHER SPF or<br>
DKIM pass, the message is to be considered to pass.<br>
<br>
A Domain with strict DMARC, and which doesn&#39;t DKIM sign messages, will<br>
fail with any form of remailer, so would fail for this application.<br></blockquote><div><br></div><div \
style="font-size:small" class="gmail_default"></div><div style="font-size:small" \
class="gmail_default">Anyone using DMARC with p=reject and without using DKIM signing is asking for \
trouble - this should never be done intentionally. I have seen it happen by mistake (usually by public \
bodies e.g. police, HMRC...).</div><div style="font-size:small" class="gmail_default"><br></div><div \
style="font-size:small" class="gmail_default">Assuming the message is DKIM-signed (and the signing is \
only on the critical headers, as it normally is) then DMARC won&#39;t cause problems on this mailing \
list. For other mailing lists YMMV.</div><div style="font-size:small" \
class="gmail_default"><br></div><div style="font-size:small" class="gmail_default">We have used DMARC \
with p=reject on domains for personal and business use for several years and have never had any \
rejections or &#39;false positives&#39; as a result. I don&#39;t use such domains for posting to mailing \
lists, and no one else using our domains has ever tried to.<br></div><div style="font-size:small" \
class="gmail_default"><br></div><div style="font-size:small" class="gmail_default"><br></div></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]