Re: DMARC

To: debian-user@lists.debian.org
Subject: Re: DMARC
From: Reco <recoverym4n@enotuniq.net>
Date: Sat, 10 Jul 2021 12:58:04 +0300
Message-id: <[🔎] E1m29kK-0007nL-99@enotuniq.net>
In-reply-to: <[🔎] 8c6c917a-8a41-a296-1dcf-fd3eab33f6ee@polynamaude.com>
References: <[🔎] f8c20211-579a-f1ec-d33b-c5f24521cd1c@polynamaude.com> <[🔎] E1m27Ma-0007YS-7f@enotuniq.net> <[🔎] 8c6c917a-8a41-a296-1dcf-fd3eab33f6ee@polynamaude.com>

On Sat, Jul 10, 2021 at 05:45:08AM -0400, Polyna-Maude Racicot-Summerside wrote:
> > On Sat, Jul 10, 2021 at 12:20:24AM -0400, Polyna-Maude Racicot-Summerside wrote:
> >> I receive the following regarding messages sent on the mailing list...
> > 
> > A usual dmarc report, and you receive that because your domain has DMARC
> > policy set that way - it's a TXT record _dmarc.polynamaude.com.
> > 
> > BTW - why have you set "p=none" there?
> > 
> I'll go read in my note but from memory I don't remember what does
> p=none do.

Basically you agree that each and every MTA on the Internet can send an
e-mail from @polynamaude.com, and it does not have to be *your* e-mail.
With p=none you might as well remove your SPF. p=quarantine, on the
other hand, at least does something positive.

> > 2) The fact that your DKIM policy is unnecessary strict, because your
> > mails to this list routinely fail to verify DKIM.
> > 
> What you mean unnecessary strict ?

MTA that you're using signs these headers:

> Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:Cc:References:To:From:Subject:Sender:Reply-To:
>         Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
>         Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
>         List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;

Of those at least these headers are modified by the list software:

>         Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
>         List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;

Thus each and every e-mail you'll send to this list will fail DKIM
check. Also see my reply in your other thread.

> > 3) The fact that your SPF policy is failing, probably because your SPF
> > does not designate bendel.d.o as a permitted sender on your behalf.
> > 
> Oh, I could simply add bendel.d.o and it would work ?

Not immediately. Your SOA record has TTL of 1 hour, so changing your DNS
records (second-level domain, misconfigured DNS taken into the account)
can take 2 hours at worst to be reflected for everyone.

Reco

Reply to:

References:
- DMARC
  - From: Polyna-Maude Racicot-Summerside <debian@polynamaude.com>
- Re: DMARC
  - From: Reco <recoverym4n@enotuniq.net>
- Re: DMARC
  - From: Polyna-Maude Racicot-Summerside <debian@polynamaude.com>

Prev by Date: Re: How do I get back the GRUB menu with the blue background?
Next by Date: Re: MTA (DMARC)
Previous by thread: Re: DMARC
Next by thread: apache2-doc update enables disabled conf
Index(es):
- Date
- Thread