Amavis and OpenDMARC

Dave McGuire mcguire at neurotica.com
Thu Nov 16 03:33:08 CET 2023 

On 11/15/23 21:13, Noel Butler wrote:
> On 15/11/2023 13:59, Dave McGuire wrote:
> 
>> On 11/14/23 22:03, Noel Butler wrote:
>>>> I would understand if those reports were required for DKIM fail or 
>>>> SPF fail, but missing aligned SPF pass is something common with 
>>>> mailing lists.
>>>
>>> You only get them on failures not every message, and no, not all 
>>> mailing lists fail on DKIM, those who take the time to configure 
>>> mailman properly should be fine.
>>
>>   Please pardon me for jumping in.  Is there a good reference article 
>> for this that you could point me to?
>>
>>                Thanks,
>>                -Dave
> 
> fo=0:  a DMARC failure/forensic report is sent to you if your email 
> fails both SPF and DKIM alignment - This is the default if unspecified.
> 
> fo=1:  a DMARC failure/forensic report is sent to you when your email 
> fails either SPF or DKIM alignment - Contrary to belief of some, no you 
> don't get bombarded with failures, perhaps this is because many don't 
> honour this.
> 
> fo=d: a DKIM failure report is sent if the email’s DKIM signature fails 
> validation, regardless of the alignment
> 
> fo=s: an SPF failure report is sent if the email fails SPF evaluation, 
> irrespective of the alignment.
> 
> 
> fo=1  is in fact the most heavily used, don't take my word for it, do 
> your own homework.
> 
> 
> Forwarding and for all intents and purposes, that includes mailing 
> lists, should rewrite sender and envelope sender addresses, this is what 
> happens with mailman when its settings are checked to do so (sadly, that 
> is NOT  default settings), there is also a mailman setting to remove 
> existing DKIM sigs, so when you get the post, you should not see the OP 
> sigs, which should have been verified by the mailing list server upon 
> receipt of that message.
> 
> So it gets it, if it passes, it removes it and adds its own sig details, 
> likewise with SPF, the OP is no longer sending the message, the domain 
> of the list server is, so THAT is the only tests that should be performed.
> 
> Also SPF related, a non mailing list type service that forwards, should 
> receive, test and if pass, rewrite to its domain/hostname to send onto 
> where ever the forward address is, jesus people these things were 
> discovered and addressed a decade ago :)

   Thanks for the info.  I know about the fo= settings; the mailing 
lists that I run (using Mailman) are working ok.  Most of the other 
mailing lists that I'm subscribed to that I do not run, though, generate 
lots of DMARC failures.  I'm just trying to see if there's a gap in my 
understanding.

   Again thank you for the description.

               -Dave

-- 
Dave McGuire, AK4HZ
New Kensington, PA

More information about the amavis-users mailing list