On 10/26/25 12:01 PM, Marco Moock wrote:
On 25.10.2025 22:50 Uhr monodev wrote:On 10/25/25 9:28 PM, Marco Moock wrote:If a mailing list doesn't rewrite the MAIL FROM, SPF will fail and bounces (IIRC if subscribers have full inbox, deleted addresses etc.) will go to the original sender of the message.This mailing list does rewrite the envelope from, but the DMARC reports I receive after posting here -- from providers both big (gmail, outlook, hotmail) and small -- still universally report SPF failures.That is rather interesting. Is it known why SPF fails in that case?
When I look at the source for your email I find the domain "dorfdsl.de" referenced in the following headers:
- From - Message-ID - List-Archive - Authentication-Results - ReferencesThe latter three wouldn't make much sense, and Authentication-Results looks to be added by my setup through analyzing the From header. They definitely are not using Message-ID, because postfix-users does not change that, and does not have this issue. So it looks like they're looking at header from for SPF, strangely enough.
I think most small mail providers use either rspamd or Mail::DMARC to generate those reports, so their developers likely have better insight into this.
It looks like doing that, using ARC, and adding a reply-to header for off-list communication is the most standards compliant setup. Not sure how many mailing lists actually do that though, let alone mail providers configuring their setup to work correctly with it (as stated mine definitely doesn't, ignores ARC and reports broken DKIM).There are also lists that rewrite both envelope from and from, so the original domain isn't present. That fixes the DMARC issues.
Then again from what I've read over the last 24 hours ARC also has its own problems and certain mail services have opted to ignore it altogether as it can also be faked... So maybe instead of ARC getting rid of the original DKIM signature and re-signing the mail might be a good idea?
At any rate email is complex, and not even this list seems to be applying the authentication aspects of it correctly. Hence looping back to my original idea of email perhaps not being too suitable for the public forum usecase.
Cheers, monodev