Amavis and OpenDMARC

Noel Butler noel.butler at ausics.net
Thu Nov 16 03:13:09 CET 2023 

On 15/11/2023 13:59, Dave McGuire wrote:

> On 11/14/23 22:03, Noel Butler wrote: I would understand if those 
> reports were required for DKIM fail or SPF fail, but missing aligned 
> SPF pass is something common with mailing lists.
> You only get them on failures not every message, and no, not all 
> mailing lists fail on DKIM, those who take the time to configure 
> mailman properly should be fine.

   Please pardon me for jumping in.  Is there a good reference article 
for this that you could point me to?

                Thanks,
                -Dave

fo=0:  a DMARC failure/forensic report is sent to you if your email 
fails both SPF and DKIM alignment - This is the default if unspecified.

fo=1:  a DMARC failure/forensic report is sent to you when your email 
fails either SPF or DKIM alignment - Contrary to belief of some, no you 
don't get bombarded with failures, perhaps this is because many don't 
honour this.

fo=d: a DKIM failure report is sent if the email's DKIM signature fails 
validation, regardless of the alignment

fo=s: an SPF failure report is sent if the email fails SPF evaluation, 
irrespective of the alignment.

fo=1  is in fact the most heavily used, don't take my word for it, do 
your own homework.

Forwarding and for all intents and purposes, that includes mailing 
lists, should rewrite sender and envelope sender addresses, this is what 
happens with mailman when its settings are checked to do so (sadly, that 
is NOT  default settings), there is also a mailman setting to remove 
existing DKIM sigs, so when you get the post, you should not see the OP 
sigs, which should have been verified by the mailing list server upon 
receipt of that message.

So it gets it, if it passes, it removes it and adds its own sig details, 
likewise with SPF, the OP is no longer sending the message, the domain 
of the list server is, so THAT is the only tests that should be 
performed.

Also SPF related, a non mailing list type service that forwards, should 
receive, test and if pass, rewrite to its domain/hostname to send onto 
where ever the forward address is, jesus people these things were 
discovered and addressed a decade ago :)

-- 
Regards,
Noel Butler

This Email, including attachments, may contain legally privileged 
information, therefore at all times remains confidential and subject to 
copyright protected under international law. You may not disseminate 
this message without the authors express written authority to do so.   
If you are not the intended recipient, please notify the sender then 
delete all copies of this message including attachments immediately. 
Confidentiality, copyright, and legal privilege are not waived or lost 
by reason of the mistaken delivery of this message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20231116/be63b260/attachment.htm>

More information about the amavis-users mailing list