[Mailman-Users] options for dealing with DMARC
Jordan Brown
mailman at jordan.maileater.net
Thu Dec 28 18:48:58 EST 2017
[ Mark, sorry for the dup. Sent from the wrong address, so the copy to
the mailing list bounced. ]
On 12/28/2017 1:27 PM, Mark Sapiro wrote:
> On 12/28/2017 11:57 AM, Jordan Brown wrote:
>> That's leading me to wonder whether there's another way, whether I can
>> leave From alone and still get past the DMARC checks. Wikipedia tells
>> me that DMARC passes if either SPF *or* DKIM passes. There's no hope
>> for SPF with the original sender in From, because the mailing list
>> server isn't the user's mail server. However, DKIM seems like it
>> *might* pass, if I'm careful in how I configure the mailing list.
> Correct. As pointed out in item 2 at <https://wiki.list.org/x/17891458>
> you can avoid breaking DKIM signatures by turning off Content filtering,
> scrubbing of non-digest messages and Reply-To: header munging and remove
> subject_prefix, msg_header and msg_footer so Mailman doesn't make
> message modifications that break DKIM signatures.
>
> If you are willing to have your list not make any such transformations,
> that will work.
Thanks! (And sorry for not looking at the FAQ first.)
(In looking to see what else I might have missed, I found DEV/DMARC; you
might want to link the two together.)
> Ideally, you might check DMARC on incoming mail, because if it fails,
> that mail will bounce anyway. E.g., I have seen a case where a user had
> configured a "Yahoo" account in her local email client to send From: her
> yahoo.com address but not send via a yahoo SMTP server. Thus, all of her
> mail, including list mail, would be bounced by anyone not checking DMARC
> because it had no yahoo.com DKIM signature, but in the case of list mail
> without DMARC mitigations, this would cause multiple recipients to
> bounce the mail and perhaps have their delivery disabled.
Is DMARC checking available as a Mailman feature? I don't remember
seeing a "check DMARC" option in the UI, and I don't find one in the
docs. I'm an HSP customer with cPanel as my UI. It looks like I could
enable DKIM on a domain-global basis, but I don't see anything for DMARC
per se. I don't want to turn on any domain-global rejection of
"failing" mail, because I wouldn't want to reject messages sent to the
non-mailing-list addresses. It would be OK to add a "failed DMARC"
header to the message and then have Mailman reject on the basis of that
header.
More information about the Mailman-Users
mailing list