Need help diagnosing an intermittent DMARC mung failure
![](https://secure.gravatar.com/avatar/baa72321ff7f0e9dd8a7ce2673cf7de6.jpg?s=120&d=mm&r=g)
Hi,
I'd like some help diagnosing an intermittent DMARC mung failure on Mailman 2.1.29.
Some of the time DMARC munging works perfectly fine, and then seemingly with no configuration changes, DMARC munging stops working. Then after restarting Mailman it may start working again. -- We don't have hard consistent data yet.
But we do have a sender that some of the time their system their messages come through with "First Last via List" <list@listdomain.example> and then other times their messages come through with "First Last" <sender@sendersdomain.example>.
No changes on the senders side / infrastructure and no changes on the mailing list config / infrastructure.
Does anyone have any recommendations on how to start troubleshooting this?
N.B. I don't have root on the system but I do have the ear of people that do. I might be able to check logs if I have read permission on them. I'm not seeing any obvious problems in the logs that I can read. I may have to relay diagnostic requests to the admins if I don't have permission.
-- Grant. . . .
![](https://secure.gravatar.com/avatar/41afc3e1168be35a12e86f0e7ba0baf7.jpg?s=120&d=mm&r=g)
On Fri, 2024-04-19 at 22:55 -0500, Grant Taylor via Mailman-Users wrote:
Does the sender have an internationalized domain name (IDN)? The Utils.py logic that determines the domain to query for DMARC is based on this code which I've always wondered how that would work with IDNs.
email = email.lower()
# Scan from the right in case quoted local part has an '@'.
at_sign = email.rfind('@')
if at_sign < 1:
return False
Are you able to reliably dig the sender's DMARC record over and over in a loop to test the reliability of the sender's DNS, perhaps even testing each of their nameservers independently? I see folks all the time that have DNS servers out of sync.
-Jim P.
![](https://secure.gravatar.com/avatar/baa72321ff7f0e9dd8a7ce2673cf7de6.jpg?s=120&d=mm&r=g)
On 4/20/24 08:21, Jim P. via Mailman-Users wrote:
Does the sender have an internationalized domain name (IDN)?
Nope. My domain is one of them. Yahoo is another. The 3rd, which I don't remember at the moment, is a .net or .com.
I've not tested this specifically. But I've not seen this symptom for my domain on any of the other hundreds of mailing lists that I'm on. Nor have I seen it for Yahoo anywhere else.
I see folks all the time that have DNS servers out of sync.
I think that's a fair question to ask. I'm fairly certain that's not the problem here.
That being said, I can't guarantee that the DNS server(s) on the host in question isn't / aren't having problems.
I'll do some testing therefrom.
Are there any log entries, or debugging, that could be enabled / turned up to help diagnose this?
-- Grant. . . .
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 4/20/24 18:32, Jim P. via Mailman-Users wrote:
In addition, Mailman's error
log will have entries when there are DNS
exceptions in looking up DMARC policy, but all these result in
mitigations being applied as though the policy was reject
.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/41afc3e1168be35a12e86f0e7ba0baf7.jpg?s=120&d=mm&r=g)
On Fri, 2024-04-19 at 22:55 -0500, Grant Taylor via Mailman-Users wrote:
Does the sender have an internationalized domain name (IDN)? The Utils.py logic that determines the domain to query for DMARC is based on this code which I've always wondered how that would work with IDNs.
email = email.lower()
# Scan from the right in case quoted local part has an '@'.
at_sign = email.rfind('@')
if at_sign < 1:
return False
Are you able to reliably dig the sender's DMARC record over and over in a loop to test the reliability of the sender's DNS, perhaps even testing each of their nameservers independently? I see folks all the time that have DNS servers out of sync.
-Jim P.
![](https://secure.gravatar.com/avatar/baa72321ff7f0e9dd8a7ce2673cf7de6.jpg?s=120&d=mm&r=g)
On 4/20/24 08:21, Jim P. via Mailman-Users wrote:
Does the sender have an internationalized domain name (IDN)?
Nope. My domain is one of them. Yahoo is another. The 3rd, which I don't remember at the moment, is a .net or .com.
I've not tested this specifically. But I've not seen this symptom for my domain on any of the other hundreds of mailing lists that I'm on. Nor have I seen it for Yahoo anywhere else.
I see folks all the time that have DNS servers out of sync.
I think that's a fair question to ask. I'm fairly certain that's not the problem here.
That being said, I can't guarantee that the DNS server(s) on the host in question isn't / aren't having problems.
I'll do some testing therefrom.
Are there any log entries, or debugging, that could be enabled / turned up to help diagnose this?
-- Grant. . . .
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 4/20/24 18:32, Jim P. via Mailman-Users wrote:
In addition, Mailman's error
log will have entries when there are DNS
exceptions in looking up DMARC policy, but all these result in
mitigations being applied as though the policy was reject
.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Grant Taylor
-
Jim P.
-
Mark Sapiro