:: Re: [DNG] Can we fix this DMARC thi…
Pàgina inicial
Delete this message
Reply to this message
Autor: Rick Moen
Data:  
A: dng
Assumpte: Re: [DNG] Can we fix this DMARC thing?
Quoting Adrian Zaugg (devuan.org@???):

> In the DMARC FAQ, Section "Receiver Questions" they say: "If emails from
> mailing lists are important to your users, you may therefore consider to
> apply specific rules for emails coming from mailing lists." [1] This is
> the situation right now with the DNG list: It's up to the people who do
> DMARC checking on the receiving end to not deny mails from the list.


This is terrible advice, and they know it. Moreover, it's particularly
cheeky. Basically, they're saying 'We created SMTP extensions that
break mailing lists if a sending domain sets p=reject or p=quarantine
in their policies, so we recommend as a remedy that any domain that
thinks it might receive mail relayed through a mailing list set up
whitelisting to compensate for the breakage we created.'

> Their tips on operating a compatible mailing list is not satisfying, all
> listed solutions [2] have "Cons". The best option in my opinion is to
> follow 3.C.


The best option is to ignore what the DMARC people recommend, and do
what the mailing list people recommend.

Which is -- mirabile dictu! -- what Devuan Project and innumerable other
operations supporting mailing lists have done.


> This could be achieved with an ARC seal [3].


'Our SMTP extensions break mailing lists if a sending domain sets
p=reject or p=quarantine in their policies, so we recommend as a remedy
that the mailing list server, when getting ready to forward and
retransmit the mail, do a complicated workaround where the mailing list
server attests on its own to the original version's DMARC validation,
and then _if_ and only if the end-receiving servers implement
DMARC-crutch experimental SMTP extensions to do so, they can choose to
believe the secondary attestation and let the mail through.'

I'm not even going to bother articulating my view on that.



The exim-user

> What might be wrong with vm6.ganeti.dyne.org is its ability to check
> DKIM signatures.


Nope.