[Mailman-Users] cause of bounces
gtaylor at tnetconsulting.net
Tue Oct 17 20:04:35 EDT 2017
On 10/17/2017 05:07 PM, Mark Sapiro wrote:
> The reference is the DMARC standard RFC 7489
I need to go back and re-read that again.
> It's more complicated than the above. There is a concept of domain
> alignment. Alignment is satisfied in either "strict" or relaxed "mode".
> A dmarc policy record may optionally specify either mode for DKIM
> alignment or SPF alignment or both with the default being "relaxed.
My brain is failing to translate "corresponding organizational domains"
to "sub-domains" properly and what that means for strict vs relaxed.
> For a message to pass DMARC it must meet 1 of 2 requirements.
> 1) It must possess a valid DKIM signature from a domain aligned with the
> From: domain. In strict mode aligned means equal. In relaxed mode
> aligned means the corresponding organizational domains are equal.
> 2) It must pass SPF. SPF works on the domain of the SMTP envelope from.
> Thus for SPF to pass, that domain must publish an SPF record specifying
> the IP of the sending server as a permitted sender. Further, for DMARC
> the envelope from (SPF) domain must align with the From: domain. Again,
> in strict mode aligned means equal. In relaxed mode aligned means the
> corresponding organizational domains are equal.
As I was reading this, I realized that I may have conflated DMARC
reporting with DMARC pass / fail.
> Note that if you are relaying mail, SPF probably will pass for your
> server if the envelope from domain is your server, but it won't align
> with an unmunged From: domain and if it does align because you didn't
> rewrite it, SPF will fail unless the original sending domain publishes
> SPF that permits your server as a sender.
> So the bottom line is as an "unaffiliated" relay without munging From:,
> SPF will never pass for DMARC and DKIM will only pass if you don't
> transform the message in ways that break the From: domain's DKIM signature.
I assume that you're talking about the SMTP envelope from and not the
> There is a remote possibility that the originating domain that publishes
> a DMARC policy relies on SPF and doesn't DKIM sign the message in which
> case, unmumged, relayed mail will almost certainly fail DMARC.
I know someone who is doing exactly that, purely for the purpose of
receiving the feedback reports.
Grant. . . .
unix || die
More information about the Mailman-Users