bind-users mailing list desn't manage DMARC

Sun Dec 21 19:22:56 UTC 2025

On Wed 03/Dec/2025 04:04:17 +0100 tale via bind-users wrote:
> On Tue, Dec 2, 2025 at 5:26 AM Dan Mahoney <dmahoney at isc.org> wrote:
>> Your DMARC TXT record is:
>> _dmarc.jcea.es.         7200    IN      TXT     "v=DMARC1; p=none; sp=none; rua=mailto:mailauth-reports at jcea.es; ruf=mailto:mailauth-reports at jcea.es"
>>
>> Your "strict" configuration tells users who are checking DMARC to do nothing in the event of a DMARC fail (p=none), so if you are getting failures, those users are not properly following the instructions that you have put in your DNS.
> ...
>> We also ARC seal the traffic going through our mailing lists, which is supposed to deal with precisely this unique problem that the original DMARC/DKIM implementors kind of ignored.
> 
> [...]
> 
> The situation was roughly the same as the above; p=none and a mailing
> list that had isc.org subscribers.   Since my DMARC policy was none,
> the From was not being rewritten by the list software.  So yeah, there
> was an inconsistency in that the list server's IP wasn't covered by my
> SPF -- correctly dubbed an authentication failure.  However, messages
> I sent to the list went through fine because of p=none, and even got
> replies from ISC subscribers so it didn't seem like a failure.

Indeed, it's not a failure.  Rewriting the From: header is an ugly hack that 
should be avoided whenever possible.

Yet, something is strange in ISC's DKIM and ARC:

Having 3 ARC sets is pretty redundant.  ARC's idea is to have one set per 
transfer service.

Jesus's message only had the original d=jcea.es signature.  Shouldn't ISC sign 
anyway?

Dan's message had three ISC signatures, only the last one verifies.

Tale's message had two signatures, the original by Google and the following 
abnormal thing:

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=i; s=istslay;
	t=1764731192; i=@i; bh=kGPsMv2dhM4HNZFQsedYJuvYfdPMg/XSEgqUbJ5rQRo=;
	h=References:In-Reply-To:Date:Subject:To:Cc:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To;
	b=qe7qv7C64S/6+jnJ1LeC37SFH0Uu2zeBuGt2oo1Sn0tNxJozMioEsiAwr08UYZWK+
	 VE7USpyVzK3aPTTVcqEqOIEcGigMYYKUmm0j3VePMWaUSwj0AWbsLJ7aSVPOn5rNm8
	 bLExyiLeyxF58HqzJpnuRNGKMkiR8P8PeK4BGAmNn4ytleMCHFQzrfC9UslTCw566O
	 4NjudcdPpzu/QVo42WOu3yDdk2jQdsU9cWcpo56CeuBPwtzAoU34ItDSEfm7aqkmc/
	 bRt9ptg3WYsEhNyHc27anjn+2flopfk5+PuxTOvyf9FH2GDvl7+e0jFsTz4LVajJ9c
	 mkNpnP4eKOrDA==

It looks like something ate the "sc.org" from the d= tag.

MOST IMPORTANTLY:   this message is NOT by Tale.  Since salesforce has 
p=reject, this message should have been rejected by the MX!!

Best
Ale
-- 