0

I've recently implemented DMARC where I work.

Most of the list-servers work just fine, either rewriting the from address or passing my posts unchanged, so they pass DKIM. One of them appears to be a problem, though.

When I look at the DMARC report, the morning after posting to that one List, the traffic shows up as "forwarded," rather than "compliant," "non-compliant," or "threat/unknown," and when I look at the details, I get this:DMARC report screen shot

I don't know whether my traffic is going out to the list or not (though I strongly suspect the latter).

After the first failed test, and after the List owner ignored my email asking for his help, I tried adding an "a:lists.xxxxxxxxxxxx.com" clause to our SPF TXT record; the above screen shot was from a post I sent the day after I added the clause.

Any suggestions on what to try next?

Re: the comment from "Paul," turning enforcement off and getting the headers from one of my own posts might be problematical, but here are the complete headers (edited for privacy) from somebody else's recent post, if that will help:

Delivered-To: jamesl@yyyyyyyyyyyyy.com
Received: by 2002:a2e:3503:0:0:0:0:0 with SMTP id z3csp1496776ljz;
        Fri, 25 Jun 2021 10:44:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy18k71C++zpNe55rLDEJltbevs69VyzzesCMGd/8tPX/qbI0Lac5wkA5469ycwf0wg5iAc
X-Received: by 2002:a9d:80a:: with SMTP id 10mr8226253oty.192.1624643053207;
        Fri, 25 Jun 2021 10:44:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1624643053; cv=none;
        d=google.com; s=arc-20160816;
        b=uOIgfjalLyaRogOrYH1cvr6kKRXXuTcKTCRtaVZHajEKElKrec+yTJRto4GKcFkfwb
         dcAK2/ySO5Q7jwRUOhl82XUfwRkhDEgIrKGwzeLVOMU9ofPaNF3tQcDsSAtphsAqg00C
         QRhU/d0jmLe8bUzeL5I2tP9T1QD3LOxeFTJsbrOEv8EGVCyMs/D92Fb4JSh86f934F2Y
         3Nw5GU19kNAwAQLS5CZ+fS9PyyQia7Xoh/KH7b6kuSKTKjhSlYzOMbxQd9GUqW92CFdk
         LsQ6MYl3vPNEagtKRGr7mOFxFAoDvvi4+She60YTu6m5QKV0Diy96UR7gigtCC7xNu7u
         kY/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=sender:errors-to:list-subscribe:list-help:list-post
         :list-unsubscribe:list-id:reply-to:precedence:subject
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to;
        bh=5+f0Tt+6o1VY9gqg/hi3WOfyNITDoc6GvFVfwLx6Rf4=;
        b=srIV+BeEvZsdZQbD3Qt9+PC5b0mbHO4IE3858BpLyDtZXULtVSt7mg3PXy6pVSQswV
         8TjwWmUbzuXNuK0985BvvPM0k/87iWZ3e+WYcvvieOHol1sXMct3U/nK7wHDgY7kN1X2
         GkP/JXBcYx8oP4YANlq2v20J7fTPdMoS3qUJZXO5eDpn2AhFHEFqoekwSdPmZ+yNru92
         vl3N18ixf1H+3T4UR/DA9x+6ZrfEFenSlcRxoMOH+MahnNuz6XeYJmIxQZg3g4k7Ud3b
         We6EiHf0juIPlmIXVJEOY4uM2LlbbHFkRabpFl6Cg9z8rdzZOT7fP0dP/PuD1K1DvYLX
         lLQA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of ftpapi-bounces@lists.xxxxxxxxxxxx.com designates aaa.bbb.ccc.ddd as permitted sender) smtp.mailfrom=ftpapi-bounces@lists.xxxxxxxxxxxx.com
Return-Path: <ftpapi-bounces@lists.xxxxxxxxxxxx.com>
Received: from mail2.xxxxxxxxxxxx.com (mail2.xxxxxxxxxxxx.com. [aaa.bbb.ccc.ddd])
        by mx.google.com with ESMTPS id y13si7142121oih.66.2021.06.25.10.44.12
        for <jamesl@yyyyyyyyyyyyy.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 25 Jun 2021 10:44:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of ftpapi-bounces@lists.xxxxxxxxxxxx.com designates aaa.bbb.ccc.ddd as permitted sender) client-ip=aaa.bbb.ccc.ddd;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of ftpapi-bounces@lists.xxxxxxxxxxxx.com designates aaa.bbb.ccc.ddd as permitted sender) smtp.mailfrom=ftpapi-bounces@lists.xxxxxxxxxxxx.com
Received: from xxxxxxxxxxxx.com (xxxxxxxxxxxx.com [www.xxx.yyy.zzz])
    by mail2.xxxxxxxxxxxx.com (8.15.2/8.15.2) with ESMTP id 15PHaLsP072664;
    Fri, 25 Jun 2021 13:36:22 -0400 (EDT)
    (envelope-from ftpapi-bounces@lists.xxxxxxxxxxxx.com)
Received: from xxxxxxxxxxxx.com (xxxxxxxxxxxx.com [www.xxx.yyy.zzz])
    by xxxxxxxxxxxx.com (8.14.4/8.14.7) with ESMTP id 15PHbRHQ032311;
    Fri, 25 Jun 2021 12:37:28 -0500 (CDT)
    (envelope-from ftpapi-bounces@lists.xxxxxxxxxxxx.com)
X-Mailman-Handler: $Id: mm-handler 5100 2002-04-05 19:41:09Z bwarsaw $
Received: from xxxxxxxxxxxx.com (xxxxxxxxxxxx.com [www.xxx.yyy.zzz])
    by xxxxxxxxxxxx.com (8.14.4/8.14.7) with ESMTP id 15PHbPBf032295
    for <ftpapi@lists.xxxxxxxxxxxx.com>;
    Fri, 25 Jun 2021 12:37:25 -0500 (CDT)
    (envelope-from sk@xxxxxxxxxxxx.com)
Received: from grungy.xxxxxxxxxxxx.com (grungymail@localhost)
    by xxxxxxxxxxxx.com (8.14.4/8.14.7/Submit) with ESMTP id 15PHbN4m032272
    for <ftpapi@lists.xxxxxxxxxxxx.com>;
    Fri, 25 Jun 2021 12:37:23 -0500 (CDT)
    (envelope-from sk@xxxxxxxxxxxx.com)
X-Authentication-Warning: xxxxxxxxxxxx.com: grungymail owned process doing -bs
Received: from [127.0.0.1] (localhost [127.0.0.1])
    by grungy.xxxxxxxxxxxx.com (8.15.2/8.15.2) with ESMTP id 15PHbIUc008701
    for <ftpapi@lists.xxxxxxxxxxxx.com>;
    Fri, 25 Jun 2021 12:37:18 -0500 (CDT)
    (envelope-from sk@xxxxxxxxxxxx.com)
To: ftpapi@lists.xxxxxxxxxxxx.com
References: <OF1F227294.95B6DA5A-ONC12586FE.002643EF-C12586FE.00272521@zzzzzzzzzzzzzz.it>
    <5a74b5da-9452-0615-2d26-632cdf82a6d7@xxxxxxxxxxxx.com>
    <OF16B0EB8D.A01226D6-ONC12586FF.0058F2FC-C12586FF.005B0A15@zzzzzzzzzzzzzz.it>
From: Sxxxx Kxxxxxx <sk@xxxxxxxxxxxx.com>
Message-ID: <72ba4aa9-32f6-3c86-988b-b3c604d0b367@xxxxxxxxxxxx.com>
Date: Fri, 25 Jun 2021 12:37:19 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
    Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <OF16B0EB8D.A01226D6-ONC12586FF.0058F2FC-C12586FF.005B0A15@zzzzzzzzzzzzzz.it>
Content-Language: en-US
X-Spam-Status: No, score=-1.0 required=8.0 tests=ALL_TRUSTED,HTML_MESSAGE
    autolearn=unavailable autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
    grungy.xxxxxxxxxxxx.com
Subject: Re: [Ftpapi] Rif: Re: Rif: Re: In: Re: In: HTTPAPI - Example 7 -
 Upload a file from IFS - No file attached!
X-BeenThere: ftpapi@lists.xxxxxxxxxxxx.com
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: FTPAPI/HTTPAPI mailing list <ftpapi@lists.xxxxxxxxxxxx.com>
List-Id: FTPAPI/HTTPAPI mailing list <ftpapi.lists.xxxxxxxxxxxx.com>
List-Unsubscribe: <http://xxxxxxxxxxxx.com/mailman/options/ftpapi>,
    <mailto:ftpapi-request@lists.xxxxxxxxxxxx.com?subject=unsubscribe>
List-Post: <mailto:ftpapi@lists.xxxxxxxxxxxx.com>
List-Help: <mailto:ftpapi-request@lists.xxxxxxxxxxxx.com?subject=help>
List-Subscribe: <http://xxxxxxxxxxxx.com/mailman/listinfo/ftpapi>,
    <mailto:ftpapi-request@lists.xxxxxxxxxxxx.com?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1888169630713480664=="
Errors-To: ftpapi-bounces@lists.xxxxxxxxxxxx.com
Sender: ftpapi-bounces@lists.xxxxxxxxxxxx.com
hbquikcomjamesl
  • 259
  • 2
  • 16
  • 1
    I think it helps more if you can see headers from the list server. You might try setting `p=none` and then look at the headers. – Paul Jun 28 '21 at 16:26

1 Answers1

0

Looks like they have Mailman 2.1.14, and according to the Mailman wiki, 2.1.16 is the first version supporting DMARC mitigation.

You could use p=quarantine, so at least users can retrieve from spam folders or set local rules. Odds are everyone on that list is already aware of this issue.

If the list has an SPF record, you could use the redirect modifier in your SPF record (e.g., redirect=lists.example.com).

If they don't have an SPF record, you could try using the ip4 mechanism in your SPF record (e.g., ip4:203.0.113.58) with the IP addresses you think they use.

Keep in mind those last two would mean someone else's server can bypass your DMARC record protections, and these records are public, after all.

On DKIM, I'm not sure because there may be a DKIM alignment issue but you didn't include an email with a DKIM signature and the domains are obfuscated.

Paul
  • 3,037
  • 6
  • 27
  • 40
  • "redirect" is not a mechanism; it's a modifier. https://www.mailhardener.com/blog/spf-redirect-explained – hbquikcomjamesl Jul 02 '21 at 23:33
  • I *did* try an "a" mechanism clause, with the list server's domain; no joy. I have not tried a "ptr" or "ip4" mechanism clause. – hbquikcomjamesl Jul 02 '21 at 23:42
  • 1
    Maybe the `a` record did not point back to the IP address of the sending server. Also, there is still the looming issue of DKIM. If the mailing list doesn't strip it, then I would expect a DKIM alignment issue. Thanks, I forgot that one was different, but I have read the RFC at least once some time ago and recalled the different `:` and `=`, but I think the other issues discussed in that link aren't so significant in this case, though are otherwise informative. – Paul Jul 02 '21 at 23:48
  • Well, there's plenty of time left on the bounty; if nobody else comes up with an immediate fix before it expires, and your answer and comments lead me to a solution, then the points are yours. – hbquikcomjamesl Jul 02 '21 at 23:51
  • Right now, I've done a DNS lookup on both the "lists." and "mail2." domain names, and written down the IP addresses. I'll see if they look the same in a few days. – hbquikcomjamesl Jul 02 '21 at 23:53
  • I would also keep watching inbound mail on that list and see what kinds of problems you can spot when a mail comes in with a DKIM record attached. Ideally, you could use a server you manage so you can disable any rejecting. – Paul Jul 02 '21 at 23:55
  • I've awarded the bounty, even though I haven't run any further tests, simply because you're the only one who's said anything even remotely constructive on this problem. – hbquikcomjamesl Jul 08 '21 at 00:06
  • Thank you. I actually would have answered if you'd just pinged me as I forgot to come back after you posted the headers. – Paul Jul 09 '21 at 21:26