According to: https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F
with DMARC mitigation "Messages from the list could pass SPF, DKIM, and DMARC".
My policy is set to "reject" and I can see that messages sent via my own email domain are failing DMARC when passing through the Fedora mailing lists. I have noticed that the same happens for emails sent by other contributors that are using their own email domain (basically anyone that is not sending as <user>@fedoraproject.org (I guess this is obvious tho)).
I can provide examples in the form of raw messages.
I have a feeling that many messages are being marked as spam.
Could you please double check the mitigation?
I will be happy to help troubleshooting.
Edit: I think the bigger problem might be with people that have a "quarantine" and "reject" DMARC policy. If the policy is set to "none" (like most people sets it) then the email will reach the recipient's mailbox anyway.
When you have time
Adding some examples: [<img alt="emails.tar.gz" src="/fedora-infrastructure/issue/raw/files/a0882c16907e0dd26e7d5c383a623566569e890174b9c0744a5ec4432bdbb53f-emails.tar.gz" />]
Metadata Update from @zlopez: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: low-gain, medium-trouble, ops
The attachment doesn't seem to work? Can you try reattaching?
If your policy was set to reject, it should replace your from address with the lists (for devel and users list anyhow). If it's not reject it won't.
Sure, here you go: <img alt="emails.tar.gz" src="/fedora-infrastructure/issue/raw/files/7f434ad78e9ed67fce4dc1f130de260a7603d466fd0f13a3b5c71ddc00e59f0c-emails.tar.gz" />
OK looking at the mails I see the one which passes says:
dkim=pass (1024-bit rsa key sha256) header.d=fedoraproject.org header.i=@fedoraproject.org header.b=eWrT67BM header.a=rsa-sha256 header.s=bastion-iad x-bits=1024; dmarc=pass policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,has-list-id=yes,d=none,d.eval=none) policy.policy-from=p header.from=fedoraproject.org; iprev=pass smtp.remote-ip=38.145.60.11 (bastion-iad01.fedoraproject.org); spf=pass smtp.mailfrom=devel-bounces@lists.fedoraproject.org smtp.helo=bastion.fedoraproject.org;
and the failure is
dkim=none (no signatures found); dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,has-list-id=yes,d=none,d.eval=none) policy.policy-from=p header.from=cgc-instruments.com; iprev=pass smtp.remote-ip=38.145.60.11 (bastion-iad01.fedoraproject.org); spf=pass smtp.mailfrom=devel-bounces@lists.fedoraproject.org smtp.helo=bastion.fedoraproject.org;
so is the issue is that the dkim signature is not added?
I am not a DMARC expert, but it does look like a valid DKIM signature is necessary for DMARC to pass.
By reading the link I have attached on my OP, assuming that you use the 3rd mitigation option, I see that it is necessary to "Add DKIM signature using the mailing list's domain".
I think something in mailman does not seem to be adding the dkim consistently. We are using a very old version of mailman3 and need to update it to a newer version but it is also a major effort.
OK at this point I don't think there is anything more we can do at the time period.
Metadata Update from @smooge: - Issue close_status updated to: Will Not/Can Not fix - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.