<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 12pt; font-family: Verdana,Geneva,sans-serif'>
<p id="reply-intro">On 15/11/2023 13:59, Dave McGuire wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"><span style="white-space: nowrap;">On 11/14/23 22:03, Noel Butler wrote:</span>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">I would understand if those reports were required for DKIM fail or SPF fail, but missing aligned SPF pass is something common with mailing lists.</blockquote>
<br />You only get them on failures not every message, and no, not all mailing lists fail on DKIM, those who take the time to configure mailman properly should be fine.</blockquote>
<br /> Please pardon me for jumping in. Is there a good reference article for this that you could point me to?<br /><br /><span style="white-space: nowrap;"> Thanks,</span><br /><span style="white-space: nowrap;"> -Dave</span></div>
</blockquote>
<p><span>fo=0: a </span><span>DMARC failure</span><span>/forensic report is sent to you if your email fails both SPF and DKIM alignment - This is the default if unspecified.</span></p>
<p><span>fo=1: a DMARC failure/forensic report is sent to you when your email fails either SPF or DKIM alignment - Contrary to belief of some, no you don't get bombarded with failures, perhaps this is because many don't honour this.</span></p>
<p><span>fo=d: a DKIM failure report is sent if the email’s DKIM signature fails validation, regardless of the alignment</span></p>
<p><span>fo=s: an SPF failure report is sent if the email fails SPF evaluation, irrespective of the alignment.</span></p>
<p><br /></p>
<p><span>fo=1 is in fact the most heavily used, don't take my word for it, do your own homework.</span></p>
<p><br /></p>
<p><span>Forwarding and for all intents and purposes, that includes mailing lists, should rewrite sender and envelope sender addresses, this is what happens with mailman when its settings are checked to do so (sadly, that is NOT default settings), there is also a mailman setting to remove existing DKIM sigs, so when you get the post, you should not see the OP sigs, which should have been verified by the mailing list server upon receipt of that message.</span></p>
<p><span>So it gets it, if it passes, it removes it and adds its own sig details, likewise with SPF, the OP is no longer sending the message, the domain of the list server is, so THAT is the only tests that should be performed.</span></p>
<p><span>Also SPF related, a non mailing list type service that forwards, should receive, test and if pass, rewrite to its domain/hostname to send onto where ever the forward address is, jesus people these things were discovered and addressed a decade ago :)</span></p>
<div> </div>
<div id="signature">-- <br />
<p>Regards,<br />Noel Butler</p>
<table border="1" width="748" cellspacing="0" cellpadding="1">
<tbody>
<tr>
<td style="text-align: left;">
<p><span style="font-size: 9pt;"><span style="font-family: arial,helvetica,sans-serif;">This Email, including attachments, may contain legally privileged information, therefore at all times remains confidential and subject to copyright protected under international law. You may not disseminate this message without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message.</span></span></p>
</td>
</tr>
</tbody>
</table>
<p><br /></p>
</div>
</body></html>