Hi, On Mon, Jul 21, 2025 at 09:10:08AM -0400, rhkra...@gmail.com wrote: > (Extra points for anybody who can craft a somewhat similar simple explanation > of DMARC.)
This whole topic is quite convoluted and only really relevant to the tiny numbers of us who run our own mail servers. Everyone using an email service providers (ESP) would normally expect their ESP to handle it all, maybe after some setup on their side if they use a custom domain. DMARC is about communicating what the "responsible" sending domain would like recipient servers to do about failures of DKIM and SPF. Strictly speaking according to the DMARC RFC, if *either* of SPF or DKIM pass then this is considered a DMARC pass. In practice, some mail systems have been known to take DMARC-related actions if only one or the other fails. The DMARC entry in the DNS says if the sender domain would like for failed messages to be rejected or quarantined. DMARC is just advisory and any system can do what it likes with mail it receives, so accepting things that the sender wanted rejected is still compliant if the receiving server wants. Of more concern are receiving systems that decide to reject even when the sender wanted quarantine. What "quarantine" means is also not defined by DMARC and is a local decision for the receiving system. Note that an email can have multiple DKIM signatures, and this one probably does. Any mail server in the path can add a DKIM signature and lists.debian.org does add one. The purpose of this is to make an assertion about the contents of the email *at the point that the given mail server saw it*. For DMARC purposes, it looks for something called "alignment". This just means that it wants a DKIM signature from the same domain that is in the From: header. i.e, for this email, it wants one from strugglers.net and will ignore others such as the one from lists.debian.org. That makes sense as you would expect that if an email is alleged to come from an address at example.org then it is the DKIM public key in the DNS for example.org that should be consulted, not any other key+signature that may be present. For SPF there is only ever one DNS entry that is looked for and that is inside the DNS zone for the *envelope sender*. The envelope sender of this email will be one at lists.debian.org, so it's Debian's SPF record that will be checked. The list mail should get an SPF pass because it really does come from Debian's infrastructure. Some Debian list email will fail DKIM due to overzealous choice of headers¹ to sign on the part of the sender — the list software adds a few headers and some people sign [even the non-existence of] these headers. But all real Debian list email should pass SPF, and so that pass alone should result in a DMARC pass. Thanks, Andy ¹ I'm not sure if it's still true but a couple of years ago the default configuration of the default MTA in Debian (exim4) would sign an excessive set of headers beyond what is recommended in the DKIM RFC, if DKIM signing was enabled. -- https://bitfolk.com/ -- No-nonsense VPS hosting
