[ZendTo] A head's up about the mailing list

Fri Nov 11 16:18:30 GMT 2016

Almost, but not quite…

On 11 November 2016 at 11:44, Stewart Campbell <
Stewart.Campbell at pulsion.co.uk> wrote:

> The failing for the ‘on behalf of’ issue is actually DKIM – I checked that
> earlier. Then because there was no SPF record for zend.to and DKIM
> failed, DMARC quarantined the mail.
>

Previously the messages lacked both a valid SPF record and a DKIM-Signature
header. Both being missing meant that Google was flagging list messages
with a red warning question mark.

(If there's no DKIM-Signature header present the receiving site has no way
of knowing whether it should have been there, as the DKIM-Signature header
provides the "d=" and "s=" data to form the DNS name to look up to retrieve
the public key. No DKIM-Signature header = no DNS lookup.)

There's no DMARC policy published for the zend.to domain, so the receiving
site can't apply a DMARC policy/quarantine the incoming message because of
it.

Now you have set the SPF for zend.to, SPF should pass and DKIM will still
> fail, but this will mean that DMARC will pass. Everything should be ok now.
> Assuming the DNS change has propagated then this email should no longer be
> quarantined.
>

What I'd suggest is:

   1. Correct the SPF record for zend.to to include all of the outgoing
   servers' IP addresses; currently it's missing some.

   2. Add a DKIM signature to messages signed using "d=zend.to"; this will
   help messages get delivered, especially if they're forwarded through a
   non-SRS capable server (which will break the SPF test).

   3. Probably continue not publishing a DMARC record… Creating one would
   have to rely solely on the SPF test passing (which can fail if
   forwarding/other mailing lists are involved).

   You can't get the DMARC-enhanced DKIM test to pass as it requires the
   domain of the DKIM-Signature header to align with the address in the
   "From:" header. As the latter is currently the email address of whichever
   member sent the message to the list they won't align.

DMARC and mailing lists don't play nicely unless the mailing list software
is a recent version and configured to be DMARC friendly. Typically the
rewrite the "From:" header to put the sender's name and address into the
textual name field, then use an address from the mailing list's own domain
in the "From:" header's actual email address. Recent versions of GNU
Mailman etc can do this.

If it's not done then life is going to get… interesting… for people like
myself. We're planning to publish a strict DMARC policy in 2017 saying that
only servers listed in our SPF record or with york.ac.uk DKIM signatures
are authorised to use "@york.ac.uk" addresses in our "From:" headers. As it
stands I'm not sure how that "the zend.to list breaks this requirement"
will fir with "but the list's own SPF details pass as it's using an '@
zend.to' in the envelope MAIL FROM"!

So you might find my posts to the list suddenly start being quarantined.
(OK, who was that cheering!!)

Cheers,
Mike B-)

-- 
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20161111/16d7a766/attachment.html 