Hello, So I have very strict DMARC settings on my domain, so I am aware I am going to get a lot of warnings. I have used "include" in my spf record for polarian.dev to allow lists.archlinux.org to redirect emails (because of mailing list), however DMARC still fails. In most cases DKIM remains untouched, therefore passes, but in a select few cases the DKIM signature was tampered with according to the reports I have gotten back, which is very strange, I assume this is not lists.archlinux.org fault but some people on the list use email proxies which are probably not configured well. DKIM is not the issue though, SPF is. lists.archlinux.org is included, but yet spf still fails, upon further inspection it seems lists.archlinux.org uses 2 different IPv4 addresses, but only one is named in the SPF record, thus failing. Does anyone else have these issues with the arch linux mailing list? Thanks, Polarian
Dear All, Can't we just go back to the way it was, with [$MAILING_LIST] in the subject line, re-write From: then sign the e-mail on the lists.archlinux.org server? That way DMARC and everyone's mail program could be made happy. Since we do not re-write the Subject: anymore I cannot separate the Arch list e-mail well anymore. Some (mobile) clients cannot mark or file mail as well as desktop clients can and everything ends up in one inbox. Just my 2 cents. Merry Christmas everyone! NTS On Mon, 26 Dec 2022 at 14:18, Polarian <polarian@polarian.dev> wrote:
Hello,
So I have very strict DMARC settings on my domain, so I am aware I am going to get a lot of warnings.
I have used "include" in my spf record for polarian.dev to allow lists.archlinux.org to redirect emails (because of mailing list), however DMARC still fails.
In most cases DKIM remains untouched, therefore passes, but in a select few cases the DKIM signature was tampered with according to the reports I have gotten back, which is very strange, I assume this is not lists.archlinux.org fault but some people on the list use email proxies which are probably not configured well.
DKIM is not the issue though, SPF is.
lists.archlinux.org is included, but yet spf still fails, upon further inspection it seems lists.archlinux.org uses 2 different IPv4 addresses, but only one is named in the SPF record, thus failing.
Does anyone else have these issues with the arch linux mailing list?
Thanks, Polarian
On Mon, Dec 26, 2022 at 05:08:07PM +0000, NTS wrote:
Can't we just go back to the way it was, with [$MAILING_LIST] in the subject line, re-write From: then sign the e-mail on the lists.archlinux.org server? That way DMARC and everyone's mail program could be made happy.
Hopefully not. Rewriting from is a worse experience over all, I want to see the real sender in there. Prefixing the subject is something I absolutely hate. You already have the mailing list in the to and are probably in the folder of the mailing list, it's simply noise that then cuts of parts of the subject I'm interested in due to space constraints.
Since we do not re-write the Subject: anymore I cannot separate the Arch list e-mail well anymore. Some (mobile) clients cannot mark or file mail as well as desktop clients can and everything ends up in one inbox.
Every provider I've ever used, including my crappy ISP one has some sort of server side filter. There's no need to do this ad hoc on mobile.
On 12/26/22 09:18, Polarian wrote:
Hello,
So I have very strict DMARC settings on my domain, so I am aware I am ... snip ...
There was a discussion not long ago on similar topic - may be worth a re-read in tracking this down: https://lists.archlinux.org/archives/list/arch-general@lists.archlinux.org/t...
Hello, Thats for the suggestion but DKIM is not the problem, I have inspected the DMARC reports and DKIM passes, but it is spf which is failing and causing DMARC to fail. My following spf record should allow lists.archlinux.org but I do not know why it is not working: v=spf1 ip4:81.111.187.79 include:lists.archlinux.org -all So I am not sure why spf is failing, because of my strict DMARC, it fails if both DKIM and spf do not pass, and thus I get spammed with DMARC failure because of spf. Any suggestions would be appreciated. Thank you, Polarian
On 12/29/22 11:08, Polarian wrote:
Thats for the suggestion but DKIM is not the problem, I have inspected 1) You mentioned in your first post: in a select few cases the DKIM signature was tampered with according to the reports...
It was that phrase that I wondered if the earlier post on 7 bit mailers may be germane. 2) None of the posts I just looked at show any spf check at all once the message leaves lists.archlinux.org. Headers show archlinux mailer validated spf on your inbound message to archlinux (same for mine) - but the outbound mail I only see dkim (pass) but no spf check at all when message arrives from archlinux. Do you see any SPF in Authentication-Results headers or nothing? I do indeed see lists.archlinux.org has an SPF record and the message does arrive with same IP as spf designated sender - I too am a bit perplexed why no SPF check happens - here anyway. dmarc doesn't fail since dkim passes and spf is silent it seems. I may be slow today but why is there no SPF validation?
Hello, Checking the DMARC reports I have seen right now, the domain passes spf, and the dkim passes, but the ip address fails. 95.217.236.249 For the spf record for lists.archlinux.org is: v=spf1 ip4:95.217.236.249 ip6:2a01:4f9:c010:9eb4::1 ~all I thought the include keyword includes all the ip addresses stated in domain's spf record stated? If so, why am I still failing SPF checks when the ip address lines up? Thanks, Polarian
On 12/29/22 13:00, Polarian wrote:
Hello,
Checking the DMARC reports I have seen right now, the domain passes spf, and the dkim passes, but the ip address fails.
My question is simpler - if you look at email headers of messages in this thread do you see Authentication-Results header showing any SPF check (pass or fail) in the messages from lists.archlinux.org ? i.e. not the check done by archlinux on the mail from you (or me) - but check from your own mail servers receiving the email from archlinux. I do not see any. Hold off for a moment on how other peoples mailers see the the same messages and any subsequent reports - just focus on what we see here in mail headers.
On 12/29/22 13:13, Genes Lists wrote:
On 12/29/22 13:00, Polarian wrote:
Also - if a little obvious - these messages are being delivered to me (at a minimum) - and are not failing dmarc (as I said) - they are just not passing dmarc alignment due to no SPF information. If dmarc was failing I would not see your messages at all - obviously.
Hello, That is weird because I keep getting spammed with DMARC failures every single time I post to the arch linux mailing lists. Also as for checking the spf on my mail, I do not currently validate spf on incoming mail, this is a severe issue which I am working on fixing, thus I can not tell you whether it is passing SPF or not, all I know is it passes DKIM (I checked the DKIM signatures of your emails). Thanks, Polarian
Hello, On Thursday, 29 December 2022 at 18:18 (+0000), Polarian wrote:
That is weird because I keep getting spammed with DMARC failures every single time I post to the arch linux mailing lists.
Every one of your emails to the list has passed SPF and therefore DMARC checks on my mailserver. The latest:
Authentication-Results: lists.archlinux.org; dkim=pass header.d=polarian.dev header.s=polarian header.b=dGFVRS9m; spf=pass (lists.archlinux.org: domain of polarian@polarian.dev designates 81.111.187.79 as permitted sender) smtp.mailfrom=polarian@polarian.dev; dmarc=pass (policy=reject) header.from=polarian.dev
It's possible that some subscribers forward their mail to another address, which I find often results in SPF failures with severity depending on how the forwarding server is configured. Cheers, Jaron
1) I just recalled I whitelisted arch list mail server as it was completely non compliant with dkim/dmarc. Since the upgrades and improvements I never 'unwhitelisted' - that's likely why i never saw your SPF check because I turned it off ... hah. 2) Jaron - your quoted Auth result header is for polarian's mail arriving at archlinux - that one is fine. What about the next one leaving lists.archlinux.org and arriving at your mail server (ip 95.217.236.249) ? gene
On Thursday, 29 December 2022 at 13:51 (-0500), Genes Lists wrote:
2) Jaron - your quoted Auth result header is for polarian's mail arriving at archlinux - that one is fine.
What about the next one leaving lists.archlinux.org and arriving at your mail server (ip 95.217.236.249) ?
Whoops, sorry: Authentication-Results: mail.kent-dobias.com; dkim=pass (1024-bit key; unprotected) header.d=polarian.dev header.i=@polarian.dev header.a=rsa-sha256 header.s=polarian header.b=dGFVRS9m Authentication-Results: mail.kent-dobias.com; dmarc=pass (p=reject dis=none) header.from=polarian.dev Authentication-Results: mail.kent-dobias.com; spf=pass smtp.mailfrom=lists.archlinux.org
On Thu, Dec 29, 2022 at 10:51 PM Genes Lists <lists@sapience.com> wrote:
2) Jaron - your quoted Auth result header is for polarian's mail arriving at archlinux - that one is fine.
What about the next one leaving lists.archlinux.org and arriving at your mail server (ip 95.217.236.249) ?
Some of the emails failed DMARC and were marked as spam, but it looks like it's not a problem any more. Maybe the issue was fixed? Failed, and marked as spam: Message-ID: <75dfaab5-faa6-cbe1-fd58-86f366cd3c03@polarian.dev> Subject: Re: PKGBUILD review. Authentication-Results: mx.google.com; dkim=fail header.i=@polarian.dev header.s=polarian header.b=xshP+GZx; spf=pass (google.com: domain of aur-general-bounces@lists.archlinux.org designates 95.217.236.249 as permitted sender) smtp.mailfrom=aur-general-bounces@lists.archlinux.org; dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=polarian.dev Authentication-Results: lists.archlinux.org; dkim=pass header.d=polarian.dev header.s=polarian header.b=xshP+GZx; dmarc=pass (policy=reject) header.from=polarian.dev; spf=pass (lists.archlinux.org: domain of polarian@polarian.dev designates 81.111.187.79 as permitted sender) smtp.mailfrom=polarian@polarian.dev Recent one passed: Message-ID: <9c14f53f-2d8c-4185-cc32-ac29e40cea43@polarian.dev> Subject: Re: Dmarc failures Authentication-Results: mx.google.com; dkim=pass header.i=@polarian.dev header.s=polarian header.b=de14FXAl; spf=pass (google.com: domain of arch-general-bounces@lists.archlinux.org designates 95.217.236.249 as permitted sender) smtp.mailfrom=arch-general-bounces@lists.archlinux.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=polarian.dev Authentication-Results: lists.archlinux.org; dkim=pass header.d=polarian.dev header.s=polarian header.b=de14FXAl; spf=pass (lists.archlinux.org: domain of polarian@polarian.dev designates 81.111.187.79 as permitted sender) smtp.mailfrom=polarian@polarian.dev; dmarc=pass (policy=reject) header.from=polarian.dev
Hello, This is weird, I have not made any changes to my email server for several months... unless it was a bug with opendkim which was patched or something, I am not sure... I am glad it is working for you currently, but I am still getting reports from yahoo mail and about 14 other mail servers failing due to spf, I have checked the spf record myself and it is valid for list.archlinux.org so I have no clue why it is still failing. I guess its hit or miss :/ Thanks, Polarian
Hello, Then this is most likely people not properly setting up their email servers? It does not seem to see any large mail servers are flagging me it is only individual hosts which are reporting it. Thanks for the help, Polarian
On 12/29/22 13:53, Polarian wrote:
Hello,
Then this is most likely people not properly setting up their email servers?
Unclear without knowing more. One possibility as Jaron said earlier, forwarding can be problematic if not done properly. So far everything says arch lists are working fine however. gene
On Thu, Dec 29, 2022 at 12:53 PM Polarian <polarian@polarian.dev> wrote:
It does not seem to see any large mail servers are flagging me it is only individual hosts which are reporting it.
FWIW, Gmail has been flagging you as spam. Message ID<FF335562-674C-424F-9F3B-A8AB8283FCC8@polarian.dev> Created at:Sun, Dec 25, 2022 at 10:46 AM (Delivered after 11 seconds) From:Polarian <polarian@polarian.dev> To:arch-general@lists.archlinux.org, David N Murray <dmurray@jsbsystems.com> Subject:Re: pacstrap complaining about corrupt package SPF:PASS with IP 95.217.236.249 Learn more DKIM:'FAIL' with domain polarian.dev Learn more DMARC:'FAIL' Learn more
Gmail had not been doing that for me. I don't know if the spam filters for Gmail are different per person On Thu, Dec 29, 2022, 2:59 PM Jeff Hubbard <jeffmhubbard@gmail.com> wrote:
On Thu, Dec 29, 2022 at 12:53 PM Polarian <polarian@polarian.dev> wrote:
It does not seem to see any large mail servers are flagging me it is only individual hosts which are reporting it.
FWIW, Gmail has been flagging you as spam.
Message ID<FF335562-674C-424F-9F3B-A8AB8283FCC8@polarian.dev> Created at:Sun, Dec 25, 2022 at 10:46 AM (Delivered after 11 seconds) From:Polarian <polarian@polarian.dev> To:arch-general@lists.archlinux.org, David N Murray < dmurray@jsbsystems.com> Subject:Re: pacstrap complaining about corrupt package SPF:PASS with IP 95.217.236.249 Learn more DKIM:'FAIL' with domain polarian.dev Learn more DMARC:'FAIL' Learn more
Hello, Google tends to have quite strict email security, therefore it is no surprise it is marking some of the emails as spam. Its not only dkim and spf they look at, but they analyse the content of each email. If you are running your own mail servers, it is very hard to not be spammed because google and other large companies all work in collaboration with one another to whitelist each other, but they spam smaller email services. Another example of how protocol(s) designed to be decentralised, has been centralised by major companies through making it increasingly difficult to host your own services. I do not know why google is spamming emails, so I can't help there, but most likely it is just due to an email server being small and thus google instantly spamming it. Polarian
On Thursday, 29 December 2022 at 19:40 (+0100), Jaron Kent-Dobias wrote:
It's possible that some subscribers forward their mail to another address, which I find often results in SPF failures with severity depending on how the forwarding server is configured.
Possible and true: here's an excerpt of one DMARC report this morning (from yahoo.com):
1 messages matching from mail-yw1-f175.google.com: none (DKIM: ✓ pass; SPF: ✘ fail) From: kent-dobias.com => DKIM: ! kent-dobias.com => SPF: + gmail.com
1 messages matching from mail-pf1-f182.google.com: none (DKIM: ✓ pass; SPF: ✘ fail) From: kent-dobias.com => DKIM: ! kent-dobias.com => SPF: + randomink.org
1 messages matching from mail-pj1-f53.google.com: none (DKIM: ✓ pass; SPF: ✘ fail) From: kent-dobias.com => DKIM: ! kent-dobias.com => SPF: + randomink.org
1 messages matching from mail-yb1-f172.google.com: none (DKIM: ✓ pass; SPF: ✘ fail) From: kent-dobias.com => DKIM: ! kent-dobias.com => SPF: + gmail.com
6 messages matching from lists.archlinux.org: none (DKIM: ✓ pass; SPF: ✘ fail) From: kent-dobias.com => DKIM: ! kent-dobias.com => SPF: + lists.archlinux.org
Lots of SPF fails, many because I do not list lists.archlinux.org as an approved sender, but many also because another mail server delivered the final message. Most mail operators are aware that forwarding is common and breaks SPF, and if DKIM is present and valid tend to ignore the failure or use contextual information to infer if the mail is forwarded or not. I used to have problems using a DMARC hard fail (-all) with some forwarders who break DKIM or fail to implement their own valid SPF (note the "+ domain.tld" SPF records), so I switched to soft fail (~all) to prevent this. Universities tend to be very bad in this regard... Jaron
Hello, just joining in thread, to see if sending mail to list from my domain (having "mx -all" in SPF and having DKIM and DMARC configured to my knowlage) will result in any mails from forwarded mails. On 30 December 2022 11:29:34 CET, Jaron KentDobias <jaron@kent-dobias.com> wrote:
I used to have problems using a DMARC hard fail (-all) with some forwarders who break DKIM or fail to implement their own valid SPF (note the "+ domain.tld" SPF records), so I switched to soft fail (~all) to prevent this. Universities tend to be very bad in this regard..
Hello, As far as I am aware, this will only include addresses specified in your mx record(s), thus emails being forwarded by the mailing list will still fail. I can not check this personally as I am yet to fix my spf validation on my email server, and thus I can only check your dkim signature. The results from my email server is: dkim=pass The results from lists.archlinux.org is: spf=pass dkim=pass This I assume you will need to add an include on lists.archlinux.org in order to not fail spf when the email is forwarded to members subscribed to the list: include:lists.archlinux.org However despite me having it in my spf record, and testing it against lists.archlinux.org A and AAAA records, I am still getting spf fails even though it shouldn't be failing! Hope this helps, Polarian
Hello, I would rather not soft fail spf as it is still useful to have, but it might be necessary because of how hit or miss spf tends to be. I have included lists.archlinux.org but still getting reports myself from yahoo.com about failing spf. I do not believe this is an issue on my end, I have inspected emails leaving my mail server and they do have the correct ip address and dkim signature, I assume this is an issue with individual mail servers. University emails are renown for having issues, many of them use proprietary email servers provided by microsoft because they are too lazy to maintain their emails, but this is also why they can be so problematic, they tend to set it up and leave it and if it doesn't work properly it is never fixed. Costs universities too much money to concern over it, and when they use the email internally a lot, they don't particularly care. Thank you, Polarian
General comment - i suggest you remove lists.archlinux.org from your spf record. To pass dmarc you only need DKIM to be valid and aligned - spf is not needed. Since passing SPF with SPF alignment also passes DMARC, then adding a 3rd party mailing list as a permitted SPF sender is really a bad idea. Reason being that now you can have mail, which has no dkim signature at all, coming solely from that IP that can pass dmarc - even if you didn't sent it. This reduces the value of DMARC for your domain. Doing so, just gives email carte blanche to a third party for no benefit. I would therefore recommend that you remove lists.archlinux.org from your SPF record - at best its not needed, at worst you have reduced your email security. Just my view of course. gene
Hello, I guess this is a good idea, however this means you can not have a strict DMARC record like I do now, thus you need to setup the DMARC record to accept pass of either spf or dkim. However, having valid spf does not instantly mean your emails will not be spammed, dkim takes higher priority, so if you have a strict DMARC record and include lists.archlinux.org in your spf record, it will still be impossible for them to send emails as you, as they will not be able to pass the dkim check and will fail the dmarc validation, and thus will be (most likely) spammed! Thank you, Polarian
On 12/30/22 13:45, Polarian wrote:
Hello,
I guess this is a good idea, however this means you can not have a strict DMARC record like I do now, thus you need to setup the DMARC record to accept pass of either spf or dkim.
However, having valid spf does not instantly mean your emails will not be spammed, dkim takes higher priority, so if you have a strict DMARC record and include lists.archlinux.org in your spf record, it will still be impossible for them to send emails as you, as they will not be able to pass the dkim check and will fail the dmarc validation, and thus will be (most likely) spammed!
Thank you, Polarian
Are you quite sure that strict DMARC requires dkim? Maybe it's more about how the domain (or subdomain) is treated for establishing alignment when comparing with the signing domain name. May be worth double checking that your thesis that an unsigned mail which is SPF valid and SPF aligned will fail DMARC as you suggest above. gene
Hello, Well it depends, DMARC requires both, but a more strict DMARC will reject all emails which do not pass spf and dkim, furthermore they have strict spf and dkim and must align perfectly. I believe my issue is my DMARC record has strict spf, and thus, spf keeps failing. I am going to change it to relaxed and see if I stop being spammed with spf failures, however keep dkim strict. Emails should always pass both spf and dkim in order to not be spammed, if an email provider allows emails if they only pass spf and fail dkim, then they need to improve their email server. Thus, I am not too worried about having lists.archlinux.org included on my spf record, because they still can't sign emails with dkim and thus should still be spammed/bounced. Thanks, Polarian
On 12/30/22 18:13, Polarian wrote:
Hello,
Well it depends, DMARC requires both, but a more strict DMARC will
You may be right and I could be wrong but I don't think it works that way. Note in particular sections 3.1 and 4.2 of rcf7489 [1]. The latter reads in part "at least one" (not both): A message satisfies the DMARC checks if at least one of the supported authentication mechanisms: 1. produces a "pass" result, and 2. produces that result based on an identifier that is in alignment Anyway - we've drifted a bit off topic from the original dmarc vs mailing list to 'how does dmarc really work'. regards, gene [1] https://www.rfc-editor.org/rfc/rfc7489
However, When I search this the following result is what I get: "A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment." And I have further proof by analysing the DMARC reports I have got, which DMARC fails if spf fails... So I am not sure about this one. I believe I will need to put more research into it to find a definite answer. Returning to the original question, what are we meant to do to prevent failing DMARC, including the domain does not seem to work so what else is there to do? Thanks, Polarian
On 12/30/22 18:38, Polarian wrote:
"A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment."
Yes that is also correct - and consistent with what it says in 4.2. To fail it must fail both - which is just another way of saying that to pass DMARC - it only needs to pass at least one of SPF and DKIM.
Hm, It seems I have misread it xD This however changes circumstances then, including lists.archlinux.org is NOT a good idea... I say, if you do not want to get DMARC reports, then change the report option in your DMARC report to only send a report if both SPF and DKIM fail. Otherwise, just accept the fact that the mailing list by design with fail spf, thus always ensure your emails are signed by a dkim signature so that you won't get spammed (hopefully). As for getting spammed by google with dkim valid, I assume this is google spamming less known email servers, because they are a**holes! Thanks for the help, Polarian
On Fri, Dec 30, 2022 at 11:13:51PM +0000, Polarian wrote:
Hello,
Well it depends, DMARC requires both, but a more strict DMARC will reject all emails which do not pass spf and dkim, furthermore they have strict spf and dkim and must align perfectly.
I believe my issue is my DMARC record has strict spf, and thus, spf keeps failing.
I am going to change it to relaxed and see if I stop being spammed with spf failures, however keep dkim strict.
Emails should always pass both spf and dkim in order to not be spammed, if an email provider allows emails if they only pass spf and fail dkim, then they need to improve their email server.
Thus, I am not too worried about having lists.archlinux.org included on my spf record, because they still can't sign emails with dkim and thus should still be spammed/bounced.
Thanks, Polarian
Hey, I updated my DMARC to more strict one from: _dmarc.kocurkovo.cz. = "v=DMARC1; p=reject; rua=mailto:dmarc+rua@kocurkovo.cz; fo=1" to: _dmarc.kocurkovo.cz. = "v=DMARC1; p=reject; rua=mailto:dmarc+rua@kocurkovo.cz; ruf=mailto:dmarc+ruf@kocurkovo.cz; fo=1; aspf=s; adkim=s; pct=100" other dns entries: kocurkovo.cz. = "v=spf1 mx -all" mail._domainkey.kocurkovo.cz. = "v=DKIM1; k=rsa; p=[...]" DMARC whould be same as yours. Thanks, mdujava
Am 29.12.22 um 19:17 schrieb Genes Lists:
On 12/29/22 13:13, Genes Lists wrote:
On 12/29/22 13:00, Polarian wrote:
Also - if a little obvious - these messages are being delivered to me (at a minimum) - and are not failing dmarc (as I said) - they are just not passing dmarc alignment due to no SPF information. If dmarc was failing I would not see your messages at all - obviously.
BTW, my server can't send you DMARC reports as 159.69.251.40 gets timeouts on s1.sapience.com and s3.sapience.com. Regards Bjoern
On 12/30/22 07:07, Bjoern Franke wrote:
BTW, my server can't send you DMARC reports as 159.69.251.40 gets timeouts on s1.sapience.com and s3.sapience.com.
Regards Bjoern
So sorry and thanks for letting me know Bjoern. It's most likely that part of hetzner got caught in firewall blocks - probably because naughty agents got caught and were/are in same net-block as yours - I will take a look. Arch uses same service as well. I see scamalytics also has hetzner marked as medium risk so others are seeing bad players on hetzner as well. gene
Hello, I just wanted to add to this thread that it seems very few email servers are now rejecting my DMARC, so maybe this issue is solved? I will remove lists.archlinux.org from my spf record for security reasons and hopefully my DKIM will remain the verification for my DMARC, unless of course that fails, which hopefully it doesn't. If anyone has had my emails spammed, please shoot me an email at polarian@polarian.dev and tell me which email provider you are using (such as gmail, outlook etc) and also include the email headers (including the spam score and the authentication results) so I am able to narrow down the reason for the spam. Thanks for everyone who contributed to this thread, Polarian
participants (11)
-
Bjoern Franke
-
eNV25
-
Genes Lists
-
Jaron Kent-Dobias
-
Jeff Hubbard
-
Matthew Blankenbeheler
-
mdujava
-
mdujava+aur@kocurkovo.cz
-
NTS
-
Polarian
-
Reto