[Mailman-Users] options for dealing with DMARC

Jordan Brown mailman at jordan.maileater.net
Thu Dec 28 18:48:58 EST 2017

[ Mark, sorry for the dup.  Sent from the wrong address, so the copy to
the mailing list bounced. ]

On 12/28/2017 1:27 PM, Mark Sapiro wrote:
> On 12/28/2017 11:57 AM, Jordan Brown wrote:
>> That's leading me to wonder whether there's another way, whether I can
>> leave From alone and still get past the DMARC checks.  Wikipedia tells
>> me that DMARC passes if either SPF *or* DKIM passes.  There's no hope
>> for SPF with the original sender in From, because the mailing list
>> server isn't the user's mail server.  However, DKIM seems like it
>> *might* pass, if I'm careful in how I configure the mailing list.
> Correct. As pointed out in item 2 at <https://wiki.list.org/x/17891458>
> you can avoid breaking DKIM signatures by turning off Content filtering,
> scrubbing of non-digest messages and Reply-To: header munging and remove
> subject_prefix, msg_header and msg_footer so Mailman doesn't make
> message modifications that break DKIM signatures.
> If you are willing to have your list not make any such transformations,
> that will work.

Thanks!  (And sorry for not looking at the FAQ first.)

(In looking to see what else I might have missed, I found DEV/DMARC; you
might want to link the two together.)

> Ideally, you might check DMARC on incoming mail, because if it fails,
> that mail will bounce anyway. E.g., I have seen a case where a user had
> configured a "Yahoo" account in her local email client to send From: her
> yahoo.com address but not send via a yahoo SMTP server. Thus, all of her
> mail, including list mail, would be bounced by anyone not checking DMARC
> because it had no yahoo.com DKIM signature, but in the case of list mail
> without DMARC mitigations, this would cause multiple recipients to
> bounce the mail and perhaps have their delivery disabled.

Is DMARC checking available as a Mailman feature?  I don't remember
seeing a "check DMARC" option in the UI, and I don't find one in the
docs.  I'm an HSP customer with cPanel as my UI.  It looks like I could
enable DKIM on a domain-global basis, but I don't see anything for DMARC
per se.  I don't want to turn on any domain-global rejection of
"failing" mail, because I wouldn't want to reject messages sent to the
non-mailing-list addresses.  It would be OK to add a "failed DMARC"
header to the message and then have Mailman reject on the basis of that

More information about the Mailman-Users mailing list