[Mailman-Users] cause of bounces

Grant Taylor gtaylor at tnetconsulting.net
Tue Oct 17 20:04:35 EDT 2017 

On 10/17/2017 05:07 PM, Mark Sapiro wrote:
> The reference is the DMARC standard RFC 7489
> <https://www.rfc-editor.org/rfc/rfc7489.txt>.

I need to go back and re-read that again.

> It's more complicated than the above.  There is a concept of domain
> alignment. Alignment is satisfied in either "strict" or relaxed "mode".
> A dmarc policy record may optionally specify either mode for DKIM
> alignment or SPF alignment or both with the default being "relaxed.

My brain is failing to translate "corresponding organizational domains" 
to "sub-domains" properly and what that means for strict vs relaxed.

> For a message to pass DMARC it must meet 1 of 2 requirements.
> 
> 1) It must possess a valid DKIM signature from a domain aligned with the
> From: domain. In strict mode aligned means equal. In relaxed mode
> aligned means the corresponding organizational domains are equal.
> 
> or
> 
> 2) It must pass SPF. SPF works on the domain of the SMTP envelope from.
> Thus for SPF to pass, that domain must publish an SPF record specifying
> the IP of the sending server as a permitted sender. Further, for DMARC
> the envelope from (SPF) domain must align with the From: domain. Again,
> in strict mode aligned means equal. In relaxed mode aligned means the
> corresponding organizational domains are equal.

As I was reading this, I realized that I may have conflated DMARC 
reporting with DMARC pass / fail.

> Note that if you are relaying mail, SPF probably will pass for your
> server if the envelope from domain is your server, but it won't align
> with an unmunged From: domain and if it does align because you didn't
> rewrite it, SPF will fail unless the original sending domain publishes
> SPF that permits your server as a sender.

*nod*

> So the bottom line is as an "unaffiliated" relay without munging From:,
> SPF will never pass for DMARC and DKIM will only pass if you don't
> transform the message in ways that break the From: domain's DKIM signature.

I assume that you're talking about the SMTP envelope from and not the 
From: header.

> There is a remote possibility that the originating domain that publishes
> a DMARC policy relies on SPF and doesn't DKIM sign the message in which
> case, unmumged, relayed mail will almost certainly fail DMARC.

I know someone who is doing exactly that, purely for the purpose of 
receiving the feedback reports.



-- 
Grant. . . .
unix || die

More information about the Mailman-Users mailing list