[Buildroot] DMARC on this mailing list

[Danilo Bargen <mail@dbrgn.ch>]

Hello folks

I recently enabled report-only DMARC on my e-mail domain. After sending
a few e-mails to this ML yesterday, this resulted in multiple DMARC
would-be rejection e-mails.

DMARC relies on SPF (correct sender IP) *or* DKIM (correct signature). A
nice tool to visualize this is https://www.learndmarc.com/. If either
SPF or DKIM passes, the e-mail should be accepted.

In the case of mailing lists, the way I understand it, there are two
options:

- Rewrite the "From:" header so that the e-mail appears to be coming
  from the ML itself. Put the original sender e-mail in the "Reply-To"
  header instead. If this is not being done, the sender IP (the mailing
  list) does not match the sender e-mail domain and SPF fails. Note
  that this *might* impact the buildroot ML reputation for some big
  mailservers.
- Expect that mail servers with DMARC enabled also have DKIM enabled,
  and ensure that the e-mail body is not modified (i.e. turn off the
  automatically inserted footer). Put mailing list unsubscribe links
  in the headers instead. This way, even though the sender IP does not
  match, the signature should still be intact.

These approaches are described in the following blog post I found
online: https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html

I don't know if mailman allows turning off body modifications (i.e.
RFC2369 and RFC2919), but it definitely allows "From"-munging:
https://wiki.list.org/DEV/DMARC

I'm still quite new to this mailing list and don't want to put out any
demands, but I wanted to bring up this issue, since it will probably be
more and more of an issue in the future (DMARC adoption is increasing).

Cheers,
Danilo
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot