OT: DMARC Enabled Domains On This List

Home » Asterisk Users » OT: DMARC Enabled Domains On This List
Asterisk Users 5 Comments

Having enabled a strict DMARC setup I noticed everytime I send a message here I get all these reports of messages which fail DMARC. Since I don’t want people to miss my wise thoughts maybe the maintainers of this list could look into DKIM signing (or any of the other ways to work around spf and dmarc breaking forwards)

5 thoughts on - OT: DMARC Enabled Domains On This List

  • Since I just did this myself a couple days ago, I’ll see what I get with this reply.

    Doug

  • This is likely the issue surrounding mailing lists rewriting headers and/or modifying messages bodies or simply re-transmitting messages as the original sender from an unapproved domain. This was discussed at length on the ITEF mailing list. Without seeing your headers and those of a recipient it is impossible to be sure but my spidy sense tells me this is so.

    You can manage this in your DNS forward zone by turning off the DMARC
    reporting request. No, I no longer recall the details. Or you can simply direct the incoming reports to /dev/null.

    As I get the digest version of the list the message sender and domain match DMARC provisions, if any are set for digium.com.

    HTH.

  • Subjects (atleast) are being rewritten, a recipient can’t verify the original (signed) hash to match the received message (replay protection). Only thing that is needed is a valid DKIM signature after the subject (and maybe others) has “[asterisk-users]” prepended.

    It appears exim 4.76 is being used, that version is recent enough to add DKIM on sending via smtp.

    begin transports

    remote_smtp:
    driver = smtp
    dkim_domain = lists.digium.com
    dkim_selector = auniqueid
    dkim_private_key = /etc/exim4/dkim/list.digium.com-private.pem
    dkim_canon = relaxed

    More info for example from:
    https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
    The hints to do this for only 1 domain if the smtpd is used for others are all there.

    The reports are there to tell you something isn’t right (like on this mailing list). Disabling them is only hiding the problem, people might be replying with the correct answer to a problem, but the OP might never gets that message.

  • What DMARC reports is that somebody other than yourself is sending email claiming to be you. And there is absolutely nothing that you can do about it. So the question arises: What is the value in these reports?

  • To tell those others (in the case of legitimate mail via mailinglists)
    they are doing something wrong and mail redirected by said mailinglists isn’t getting delivered (or like with gmail “marked as phishing and put into quarantine”).

    Also with increased use of DMARC (which I don’t personally care for but the BIG mail operators are kind of forcing it) there will be more bounces from DMARCed senders to subscribed users which may result in the mailinglist software to incorrectly unsubcribe those recipients.