[talk-ch] DMARC on talk-ch

Danilo mail at dbrgn.ch
Tue Feb 15 23:09:17 CET 2022

Hello folks

I recently enabled report-only DMARC on my e-mail domain. After sending an e-mails to this ML recently, this resulted in multiple DMARC would-be rejection e-mails.

DMARC relies on SPF (correct sender IP) *or* DKIM (correct signature). A nice tool to visualize this is https://www.learndmarc.com/. If either SPF or DKIM passes, the e-mail should be accepted.

In the case of mailing lists, the way I understand it, there are two options:

- Rewrite the "From:" header so that the e-mail appears to be coming
  from the ML itself. Put the original sender e-mail in the "Reply-To"
  header instead. If this is not being done, the sender IP (the mailing
  list) does not match the sender e-mail domain and SPF fails. Note
  that this *might* impact the ML reputation for some big
- Expect that mail servers with DMARC enabled also have DKIM enabled,
  and ensure that the e-mail body is not modified (i.e. turn off the
  automatically inserted footer). Put mailing list unsubscribe links
  in the headers instead. This way, even though the sender IP does not
  match, the signature should still be intact.

These approaches are described in the following blog post I found online: https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html

I don't know if mailman allows turning off body modifications (i.e. RFC2369 and RFC2919), but it definitely allows "From"-munging: https://wiki.list.org/DEV/DMARC

This will probably be more and more of an issue in the future (DMARC adoption is increasing), so it might be worthwhile to fix.


More information about the talk-ch mailing list