[Mailman-Users] Emails from yahoo members, are getting rejected by yahoo, "Service Unavailable".

Jim Popovitch jimpop at gmail.com
Mon Apr 14 04:55:33 CEST 2014

On Sun, Apr 13, 2014 at 10:47 PM, Mark Sapiro <mark at msapiro.net> wrote:
> On 04/13/2014 03:17 PM, Mark Sapiro wrote:
>> On 04/13/2014 03:03 PM, Jim Popovitch wrote:
>>> DMARC checks alignment of *both* DKIM and SPF, if either is broken DMARC fails.
>>>> SPF does not check the "From:" header line, and that's where the
>>>> troubles begin with DMARC.
>>> SPF checks sending IPs (of which your IPs won't match Yahoo's, thus
>>> breaking DMARC)
>>> Either an SPF failure or a DKIM failure will cause a DMARC rejection
>>> if p=reject.
>> I'm not sure that's correct. I've been testing this so many ways, I'm
>> not sure what I'm seeing, but I think a reject requires BOTH DKIM and
>> SPF to be absent or fail. If either passes, no DMARC reject occurs.
> My reading of Sec 10.2 of the current draft DMARC standard
> <https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/> says that
> either a valid DKIM signature or a valid SPF test is sufficient, but
> only if the domains are aligned which means the DKIM signing domain or
> the SPF envelope sender domain must match (in strict or relaxed mode)
> that of the From: address.
>        If one or more of the Authenticated Identifiers align
>        with the RFC5322.From domain, the message is considered to pass
>        the DMARC mechanism check.
> In particular, one's own SPF won't do because the domains won't align.

I (now) agree with that, it's "either" not both that passes a dmarc
check.  Mailman always "breaks" dkim, so I never really considered
what happens if dkim passes but spf doesn't.

-Jim P.

More information about the Mailman-Users mailing list