I've recently implemented DMARC where I work.
Most of the list-servers work just fine, either rewriting the from address or passing my posts unchanged, so they pass DKIM. One of them appears to be a problem, though.
When I look at the DMARC report, the morning after posting to that one List, the traffic shows up as "forwarded," rather than "compliant," "non-compliant," or "threat/unknown," and when I look at the details, I get this:
I don't know whether my traffic is going out to the list or not (though I strongly suspect the latter).
After the first failed test, and after the List owner ignored my email asking for his help, I tried adding an "a:lists.xxxxxxxxxxxx.com" clause to our SPF TXT record; the above screen shot was from a post I sent the day after I added the clause.
Any suggestions on what to try next?
Re: the comment from "Paul," turning enforcement off and getting the headers from one of my own posts might be problematical, but here are the complete headers (edited for privacy) from somebody else's recent post, if that will help:
Delivered-To: [email protected]
Received: by 2002:a2e:3503:0:0:0:0:0 with SMTP id z3csp1496776ljz;
Fri, 25 Jun 2021 10:44:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy18k71C++zpNe55rLDEJltbevs69VyzzesCMGd/8tPX/qbI0Lac5wkA5469ycwf0wg5iAc
X-Received: by 2002:a9d:80a:: with SMTP id 10mr8226253oty.192.1624643053207;
Fri, 25 Jun 2021 10:44:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1624643053; cv=none;
d=google.com; s=arc-20160816;
b=uOIgfjalLyaRogOrYH1cvr6kKRXXuTcKTCRtaVZHajEKElKrec+yTJRto4GKcFkfwb
dcAK2/ySO5Q7jwRUOhl82XUfwRkhDEgIrKGwzeLVOMU9ofPaNF3tQcDsSAtphsAqg00C
QRhU/d0jmLe8bUzeL5I2tP9T1QD3LOxeFTJsbrOEv8EGVCyMs/D92Fb4JSh86f934F2Y
3Nw5GU19kNAwAQLS5CZ+fS9PyyQia7Xoh/KH7b6kuSKTKjhSlYzOMbxQd9GUqW92CFdk
LsQ6MYl3vPNEagtKRGr7mOFxFAoDvvi4+She60YTu6m5QKV0Diy96UR7gigtCC7xNu7u
kY/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=sender:errors-to:list-subscribe:list-help:list-post
:list-unsubscribe:list-id:reply-to:precedence:subject
:content-language:in-reply-to:mime-version:user-agent:date
:message-id:from:references:to;
bh=5+f0Tt+6o1VY9gqg/hi3WOfyNITDoc6GvFVfwLx6Rf4=;
b=srIV+BeEvZsdZQbD3Qt9+PC5b0mbHO4IE3858BpLyDtZXULtVSt7mg3PXy6pVSQswV
8TjwWmUbzuXNuK0985BvvPM0k/87iWZ3e+WYcvvieOHol1sXMct3U/nK7wHDgY7kN1X2
GkP/JXBcYx8oP4YANlq2v20J7fTPdMoS3qUJZXO5eDpn2AhFHEFqoekwSdPmZ+yNru92
vl3N18ixf1H+3T4UR/DA9x+6ZrfEFenSlcRxoMOH+MahnNuz6XeYJmIxQZg3g4k7Ud3b
We6EiHf0juIPlmIXVJEOY4uM2LlbbHFkRabpFl6Cg9z8rdzZOT7fP0dP/PuD1K1DvYLX
lLQA==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: best guess record for domain of [email protected] designates aaa.bbb.ccc.ddd as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from mail2.xxxxxxxxxxxx.com (mail2.xxxxxxxxxxxx.com. [aaa.bbb.ccc.ddd])
by mx.google.com with ESMTPS id y13si7142121oih.66.2021.06.25.10.44.12
for <[email protected]>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 25 Jun 2021 10:44:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of [email protected] designates aaa.bbb.ccc.ddd as permitted sender) client-ip=aaa.bbb.ccc.ddd;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of [email protected] designates aaa.bbb.ccc.ddd as permitted sender) [email protected]
Received: from xxxxxxxxxxxx.com (xxxxxxxxxxxx.com [www.xxx.yyy.zzz])
by mail2.xxxxxxxxxxxx.com (8.15.2/8.15.2) with ESMTP id 15PHaLsP072664;
Fri, 25 Jun 2021 13:36:22 -0400 (EDT)
(envelope-from [email protected])
Received: from xxxxxxxxxxxx.com (xxxxxxxxxxxx.com [www.xxx.yyy.zzz])
by xxxxxxxxxxxx.com (8.14.4/8.14.7) with ESMTP id 15PHbRHQ032311;
Fri, 25 Jun 2021 12:37:28 -0500 (CDT)
(envelope-from [email protected])
X-Mailman-Handler: $Id: mm-handler 5100 2002-04-05 19:41:09Z bwarsaw $
Received: from xxxxxxxxxxxx.com (xxxxxxxxxxxx.com [www.xxx.yyy.zzz])
by xxxxxxxxxxxx.com (8.14.4/8.14.7) with ESMTP id 15PHbPBf032295
for <[email protected]>;
Fri, 25 Jun 2021 12:37:25 -0500 (CDT)
(envelope-from [email protected])
Received: from grungy.xxxxxxxxxxxx.com (grungymail@localhost)
by xxxxxxxxxxxx.com (8.14.4/8.14.7/Submit) with ESMTP id 15PHbN4m032272
for <[email protected]>;
Fri, 25 Jun 2021 12:37:23 -0500 (CDT)
(envelope-from [email protected])
X-Authentication-Warning: xxxxxxxxxxxx.com: grungymail owned process doing -bs
Received: from [127.0.0.1] (localhost [127.0.0.1])
by grungy.xxxxxxxxxxxx.com (8.15.2/8.15.2) with ESMTP id 15PHbIUc008701
for <[email protected]>;
Fri, 25 Jun 2021 12:37:18 -0500 (CDT)
(envelope-from [email protected])
To: [email protected]
References: <OF1F227294.95B6DA5A-ONC12586FE.002643EF-C12586FE.00272521@zzzzzzzzzzzzzz.it>
<[email protected]>
<OF16B0EB8D.A01226D6-ONC12586FF.0058F2FC-C12586FF.005B0A15@zzzzzzzzzzzzzz.it>
From: Sxxxx Kxxxxxx <[email protected]>
Message-ID: <[email protected]>
Date: Fri, 25 Jun 2021 12:37:19 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <OF16B0EB8D.A01226D6-ONC12586FF.0058F2FC-C12586FF.005B0A15@zzzzzzzzzzzzzz.it>
Content-Language: en-US
X-Spam-Status: No, score=-1.0 required=8.0 tests=ALL_TRUSTED,HTML_MESSAGE
autolearn=unavailable autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
grungy.xxxxxxxxxxxx.com
Subject: Re: [Ftpapi] Rif: Re: Rif: Re: In: Re: In: HTTPAPI - Example 7 -
Upload a file from IFS - No file attached!
X-BeenThere: [email protected]
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: FTPAPI/HTTPAPI mailing list <[email protected]>
List-Id: FTPAPI/HTTPAPI mailing list <ftpapi.lists.xxxxxxxxxxxx.com>
List-Unsubscribe: <http://xxxxxxxxxxxx.com/mailman/options/ftpapi>,
<mailto:[email protected]?subject=unsubscribe>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]?subject=help>
List-Subscribe: <http://xxxxxxxxxxxx.com/mailman/listinfo/ftpapi>,
<mailto:[email protected]?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1888169630713480664=="
Errors-To: [email protected]
Sender: [email protected]
Looks like they have Mailman 2.1.14, and according to the Mailman wiki, 2.1.16 is the first version supporting DMARC mitigation.
You could use
p=quarantine
, so at least users can retrieve from spam folders or set local rules. Odds are everyone on that list is already aware of this issue.If the list has an SPF record, you could use the
redirect
modifier in your SPF record (e.g.,redirect=lists.example.com
).If they don't have an SPF record, you could try using the
ip4
mechanism in your SPF record (e.g.,ip4:203.0.113.58
) with the IP addresses you think they use.Keep in mind those last two would mean someone else's server can bypass your DMARC record protections, and these records are public, after all.
On DKIM, I'm not sure because there may be a DKIM alignment issue but you didn't include an email with a DKIM signature and the domains are obfuscated.