I noticed recently that each time I send an email to the kde@lists.fedoraproject.org mailing list I get up to three failed DMARC reports from other email servers.
The list is sending email "from" me with the source address:
Source-IP: 38.145.60.11 (bastion-iad01.fedoraproject.org)
Which, of course, does not match up with my email server's IP address, so SPF fails, It also appears that DKIM signature also does not match.
I've had my server's DNS set up to request DMARK failure reports for a few years and haven't seen any reports lately except via this list. So I am wondering if something is mis-configured on this list server.
Emmett
On Fri, Aug 27, 2021 at 09:44:07AM -0700, Emmett Culley wrote:
Which, of course, does not match up with my email server's IP address, so SPF fails, It also appears that DKIM signature also does not match.
I think we _can't_ make the DKIM signature match, because we add footers pointing to unsubscribe information and list guidelines.
On 8/27/21 10:47 AM, Matthew Miller wrote:
On Fri, Aug 27, 2021 at 09:44:07AM -0700, Emmett Culley wrote:
Which, of course, does not match up with my email server's IP address, so SPF fails, It also appears that DKIM signature also does not match.
I think we _can't_ make the DKIM signature match, because we add footers pointing to unsubscribe information and list guidelines.
I don't think DKIM will be a problam as long as the list server doesn't alter certain headers, which yu are saying it does. But DKIM failing alone would not cause the DMARK to fail, as both SPF and DKIM have to fail.
So this is an SPF issue as far as I can tell.
Emmett
On Fri, Aug 27, 2021 at 11:13:28AM -0700, Emmett Culley wrote:
I don't think DKIM will be a problam as long as the list server doesn't alter certain headers, which yu are saying it does. But DKIM failing alone would not cause the DMARK to fail, as both SPF and DKIM have to fail.
It alters the message body. Not sure about the relevant headers offhand.
So this is an SPF issue as far as I can tell.
Yes; that's a problem with mailing lists in general and strict SPF. We could change it so messages claim to be coming from the list rather than from you, but that breaks key assumptions about how mailing lists work.
On 8/27/21 11:26 AM, Matthew Miller wrote:
On Fri, Aug 27, 2021 at 11:13:28AM -0700, Emmett Culley wrote:
I don't think DKIM will be a problam as long as the list server doesn't alter certain headers, which yu are saying it does. But DKIM failing alone would not cause the DMARK to fail, as both SPF and DKIM have to fail.
It alters the message body. Not sure about the relevant headers offhand.
So this is an SPF issue as far as I can tell.
Yes; that's a problem with mailing lists in general and strict SPF. We could change it so messages claim to be coming from the list rather than from you, but that breaks key assumptions about how mailing lists work.
What strikes me is this is the only list that causes this. I suppose it is likely that there are simply three email servers receiving email from this list that has openDMARC set up to send failure message to those servers that request them. Like my email DNS is set up to do. Usually those messages are sent out only once a day, but these I am getting within seconds of posting a message to this list.
I am aware of the list server issues around SPF, yet some seem to have resolved it. Or at least it seems that way.
Since this issue is not effecting my access to the list, I will filter those messages to trash and mark then read.
Emmett
-
Emmett Culley -
Matthew Miller