Re: [Buildroot] DMARC on this mailing list

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Danilo Bargen <mail@dbrgn.ch>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] DMARC on this mailing list
Date: Mon, 17 Jan 2022 11:24:50 +0100	[thread overview]
Message-ID: <20220117102450.GC2313964@scaer> (raw)
In-Reply-To: <20220117105017.28d6aacc@c3po>

Danilo, All,

On 2022-01-17 10:50 +0100, Danilo Bargen spake thusly:
> I recently enabled report-only DMARC on my e-mail domain. After sending
> a few e-mails to this ML yesterday, this resulted in multiple DMARC
> would-be rejection e-mails.

DMARC has bitten us in the recent past (1.5 year or so...)

> DMARC relies on SPF (correct sender IP) *or* DKIM (correct signature). A
> nice tool to visualize this is https://www.learndmarc.com/. If either
> SPF or DKIM passes, the e-mail should be accepted.
> 
> In the case of mailing lists, the way I understand it, there are two
> options:
> 
> - Rewrite the "From:" header so that the e-mail appears to be coming
>   from the ML itself. Put the original sender e-mail in the "Reply-To"
>   header instead. If this is not being done, the sender IP (the mailing
>   list) does not match the sender e-mail domain and SPF fails. Note
>   that this *might* impact the buildroot ML reputation for some big
>   mailservers.

This is exactly what is going on. You can check for example on the
archives:
    https://lore.kernel.org/buildroot/20220115101415.986123F41E@exit1-us.msgsafe.io/

> - Expect that mail servers with DMARC enabled also have DKIM enabled,
>   and ensure that the e-mail body is not modified (i.e. turn off the
>   automatically inserted footer). Put mailing list unsubscribe links
>   in the headers instead. This way, even though the sender IP does not
>   match, the signature should still be intact.
> 
> These approaches are described in the following blog post I found
> online: https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html
> 
> I don't know if mailman allows turning off body modifications (i.e.
> RFC2369 and RFC2919), but it definitely allows "From"-munging:
> https://wiki.list.org/DEV/DMARC

Yeah, this is what is being done on this list...

Regards,
Yann E. MORIN.

> I'm still quite new to this mailing list and don't want to put out any
> demands, but I wanted to bring up this issue, since it will probably be
> more and more of an issue in the future (DMARC adoption is increasing).
> 
> Cheers,
> Danilo
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot