Hi,
On Mon, Jul 21, 2025 at 09:10:08AM -0400,
rhkramer@gmail.com wrote:
(Extra points for anybody who can craft a somewhat similar simple explanation of DMARC.)
This whole topic is quite convoluted and only really relevant to the
tiny numbers of us who run our own mail servers. Everyone using an email service providers (ESP) would normally expect their ESP to handle it
all, maybe after some setup on their side if they use a custom domain.
DMARC is about communicating what the "responsible" sending domain would
like recipient servers to do about failures of DKIM and SPF.
Strictly speaking according to the DMARC RFC, if *either* of SPF or DKIM
pass then this is considered a DMARC pass. In practice, some mail
systems have been known to take DMARC-related actions if only one or the
other fails.
The DMARC entry in the DNS says if the sender domain would like for
failed messages to be rejected or quarantined. DMARC is just advisory
and any system can do what it likes with mail it receives, so accepting
things that the sender wanted rejected is still compliant if the
receiving server wants. Of more concern are receiving systems that
decide to reject even when the sender wanted quarantine. What
"quarantine" means is also not defined by DMARC and is a local decision
for the receiving system.
Note that an email can have multiple DKIM signatures, and this one
probably does. Any mail server in the path can add a DKIM signature and lists.debian.org does add one. The purpose of this is to make an
assertion about the contents of the email *at the point that the given
mail server saw it*.
For DMARC purposes, it looks for something called "alignment". This just
means that it wants a DKIM signature from the same domain that is in
the From: header. i.e, for this email, it wants one from strugglers.net
and will ignore others such as the one from lists.debian.org. That makes
sense as you would expect that if an email is alleged to come from an
address at example.org then it is the DKIM public key in the DNS for example.org that should be consulted, not any other key+signature that
may be present.
For SPF there is only ever one DNS entry that is looked for and that is
inside the DNS zone for the *envelope sender*. The envelope sender of
this email will be one at lists.debian.org, so it's Debian's SPF record
that will be checked. The list mail should get an SPF pass because it
really does come from Debian's infrastructure.
Some Debian list email will fail DKIM due to overzealous choice of
headers¹ to sign on the part of the sender — the list software adds a few headers and some people sign [even the non-existence of] these headers.
But all real Debian list email should pass SPF, and so that pass alone
should result in a DMARC pass.
Thanks,
Andy
¹ I'm not sure if it's still true but a couple of years ago the default
configuration of the default MTA in Debian (exim4) would sign an
excessive set of headers beyond what is recommended in the DKIM RFC,
if DKIM signing was enabled.
--
https://bitfolk.com/ -- No-nonsense VPS hosting
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)