[Mailman-Users] Mailman, DMARC and OpenDKIM
Richard Damon
Richard at Damon-Family.org
Sun Apr 27 20:00:20 CEST 2014
On 4/27/14, 1:34 PM, Mark Sapiro wrote:
> On 04/27/2014 10:16 AM, Lindsay Haisley wrote:
>> My understanding is that DMARC alignment depends on both SPF and DKIM
>> and that if a test using either protocol passes, then a DMARC will pass.
>> This is probably an oversimplification, but I'm exploring the idea of
>> whether it might be possible to interpose a milter using OpenDKIM
>> (perhaps zdkimfilter) between Mailman and the outgoing SMTP server
>> (courier-MTA) so that outgoing list posts are appropriately signed.
>
> This doesn't help. The whole idea behind DMARC is the message must pass
> either SPF or DKIM with a domain that 'aligns' with the domain of the
> address in the From: header.
>
> You can't DKIM sign for the yahoo.com or aol.com or whatever.com domain
> because you don't know their private keys. You can only DKIM sign for
> your own domain which won't 'align' with the From: domain.
>
One question I have had over how this works is why SPF is added to the
mix. If the message passes SPF, then it has come directly from a server
that is supposedly controlled by the sending provider. Said server
should have been able to DKIM sign the message, so you should never see
a message that passes SPF but fails DKIM.
Was that option just put in to allow an organization to just implement
SPF (and ignore DKIM), but change SPF to require the alignment to From: ?
--
Richard Damon
More information about the Mailman-Users
mailing list