On 12/8/20 3:43 PM, Per Jessen wrote:
That's not a real argument because MTA admins just began to implement SPF/DKIM/DMARC during the last two years.
This ship has sailed with the continously growing adoption of DMARC. Like it or not you have to use munge_from.
Besides, if we were to fiddle with the From: header, the DKIM validation would likely fail.
That's why you also strip old DKIM headers and let your MTA re-sign the new message.
Anyway, isn't this all a bit off topic here on this list?
I agree. Move that to heroes list? Ciao, Michael.
Michael Strc3b6der wrote:
Hmm, I'm not to sure about that estimate. Looking at e.g. our internal SPF whitelist, the earliest entries are eight years old.
Anyway, isn't this all a bit off topic here on this list?
I agree. Move that to heroes list?
Done. -- Per Jessen, Zürich (1.2°C) Member, openSUSE Heroes
On 12/8/20 4:04 PM, Per Jessen wrote:
Again: This issue is not caused by SPF alone. IIRC classic SPF checks only covered envelope sender. It's caused by DMARC which mandates checking the From: header. And DMARC adoption is increasingly used for being able to deliver to big players like GMail, Yahoo and Microsoft. As said: This is a moving target anyway and this issue will rather increase instead of going away. Ciao, Michael
Hello, On Tue, 8 Dec 2020, Michael Ströder wrote:
Right, and as DMARC checks the From: header, neither it, nor any of the other signed headers or the body must be changed by the list server, that usually includes Subject. If the list server then doesn't change any of those headers no From: rewriting is necessary, unlike you claimed above. It is merely the alternative to other header-rewriting (or body-rewriting even); if the list server does any of that, then yes, From munging is necessary. Ciao, Michael.
Michael Matz wrote:
the DMARC policy for suse.com was only recently updated to include "subject", but I presume some bigger providers have already been quarantining mails from suse.com addresses since mid-November. Fwiw, the only one that actually notifies the sending mta is gmail - I see nothing from Microsoft nor Yahoo.
Currently, all we do is add a footer. -- Per Jessen, Zürich (1.4°C) Member, openSUSE Heroes
On 12/8/20 6:56 PM, Per Jessen wrote:
Fwiw, the only one that actually notifies the sending mta is gmail - I see nothing from Microsoft nor Yahoo.
How do you know? For example the postmaster for opensuse.org doesn't get the DMARC reports for my domain. I currently see immediate reports from various domains and aggregated reports also from Yahoo. Maybe I misunderstood you though. Ciao, Michael.
Michael Strc3b6der wrote:
Only from the mail log, where Google's servers say: "250 2.0.0 OK DMARC:Quarantine ...... " I don't see any such report from anyone else. Very useful from Google.
Right - I have no idea what the others do or don't. -- Per Jessen, Zürich (0.9°C) Member, openSUSE Heroes
Hello, On Tue, 8 Dec 2020, Per Jessen wrote:
Sure, I merely wanted to refute the claim that From: munging is a necessity of mailing list servers for DMARC reasons (still quoted above).
That's body rewriting and would also invalidate DKIM signatures (if body is included, of course, but it often is), and hence necessitate From munging. Ciao, Michael.
participants (3)
-
Michael Matz
-
Michael Ströder
-
Per Jessen