[Mailman-Users] cause of bounces

Mark Sapiro mark at msapiro.net
Tue Oct 17 19:07:09 EDT 2017 

On 10/17/2017 03:15 PM, Lindsay Haisley wrote:
> 
> Just as an aside here, my understanding is that validation of an email
> by DMARC requires ONE of two things: EITHER the DKIM signature in the
> email must validate, OR the domain of the From body header must resolve
> to the IP address of the Sender system (list server or mail reflector).
> Is this correct? Where's a reference on this?


The reference is the DMARC standard RFC 7489
<https://www.rfc-editor.org/rfc/rfc7489.txt>.

It's more complicated than the above.  There is a concept of domain
alignment. Alignment is satisfied in either "strict" or relaxed "mode".
A dmarc policy record may optionally specify either mode for DKIM
alignment or SPF alignment or both with the default being "relaxed.

For a message to pass DMARC it must meet 1 of 2 requirements.

1) It must possess a valid DKIM signature from a domain aligned with the
From: domain. In strict mode aligned means equal. In relaxed mode
aligned means the corresponding organizational domains are equal.

or

2) It must pass SPF. SPF works on the domain of the SMTP envelope from.
Thus for SPF to pass, that domain must publish an SPF record specifying
the IP of the sending server as a permitted sender. Further, for DMARC
the envelope from (SPF) domain must align with the From: domain. Again,
in strict mode aligned means equal. In relaxed mode aligned means the
corresponding organizational domains are equal.

Note that if you are relaying mail, SPF probably will pass for your
server if the envelope from domain is your server, but it won't align
with an unmunged From: domain and if it does align because you didn't
rewrite it, SPF will fail unless the original sending domain publishes
SPF that permits your server as a sender.

So the bottom line is as an "unaffiliated" relay without munging From:,
SPF will never pass for DMARC and DKIM will only pass if you don't
transform the message in ways that break the From: domain's DKIM signature.

There is a remote possibility that the originating domain that publishes
a DMARC policy relies on SPF and doesn't DKIM sign the message in which
case, unmumged, relayed mail will almost certainly fail DMARC.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list