bind-users mailing list desn't manage DMARC

Alessandro Vesely vesely at tana.it
Sun Dec 21 19:48:31 UTC 2025 

On Sun 21/Dec/2025 20:22:56 +0100 tale via bind-users wrote:
> On Wed 03/Dec/2025 04:04:17 +0100 tale via bind-users wrote:
>> On Tue, Dec 2, 2025 at 5:26 AM Dan Mahoney <dmahoney at isc.org> wrote:
>>> Your DMARC TXT record is:
>>> _dmarc.jcea.es.         7200    IN      TXT     "v=DMARC1; p=none; sp=none; 
>>> rua=mailto:mailauth-reports at jcea.es; ruf=mailto:mailauth-reports at jcea.es"
>>>
>>> Your "strict" configuration tells users who are checking DMARC to do nothing 
>>> in the event of a DMARC fail (p=none), so if you are getting failures, those 
>>> users are not properly following the instructions that you have put in your 
>>> DNS.
>> ...
>>> We also ARC seal the traffic going through our mailing lists, which is 
>>> supposed to deal with precisely this unique problem that the original DMARC/ 
>>> DKIM implementors kind of ignored.
>>
>> [...]
>>
>> The situation was roughly the same as the above; p=none and a mailing
>> list that had isc.org subscribers.   Since my DMARC policy was none,
>> the From was not being rewritten by the list software.  So yeah, there
>> was an inconsistency in that the list server's IP wasn't covered by my
>> SPF -- correctly dubbed an authentication failure.  However, messages
>> I sent to the list went through fine because of p=none, and even got
>> replies from ISC subscribers so it didn't seem like a failure.
> 
> 
> Indeed, it's not a failure.  Rewriting the From: header is an ugly hack that 
> should be avoided whenever possible.
> 
> Yet, something is strange in ISC's DKIM and ARC:
> 
> Having 3 ARC sets is pretty redundant.  ARC's idea is to have one set per 
> transfer service.
> 
> Jesus's message only had the original d=jcea.es signature.  Shouldn't ISC sign 
> anyway?
> 
> Dan's message had three ISC signatures, only the last one verifies.
> 
> Tale's message had two signatures, the original by Google and the following 
> abnormal thing:
> 
> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=i; s=istslay;
>      t=1764731192; i=@i; bh=kGPsMv2dhM4HNZFQsedYJuvYfdPMg/XSEgqUbJ5rQRo=;
>      h=References:In-Reply-To:Date:Subject:To:Cc:List-Id:
>       List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
>       From:Reply-To;
>      b=qe7qv7C64S/6+jnJ1LeC37SFH0Uu2zeBuGt2oo1Sn0tNxJozMioEsiAwr08UYZWK+
>       VE7USpyVzK3aPTTVcqEqOIEcGigMYYKUmm0j3VePMWaUSwj0AWbsLJ7aSVPOn5rNm8
>       bLExyiLeyxF58HqzJpnuRNGKMkiR8P8PeK4BGAmNn4ytleMCHFQzrfC9UslTCw566O
>       4NjudcdPpzu/QVo42WOu3yDdk2jQdsU9cWcpo56CeuBPwtzAoU34ItDSEfm7aqkmc/
>       bRt9ptg3WYsEhNyHc27anjn+2flopfk5+PuxTOvyf9FH2GDvl7+e0jFsTz4LVajJ9c
>       mkNpnP4eKOrDA==
> 
> It looks like something ate the "sc.org" from the d= tag.


And again, the message I'm replying to had:

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=i; s=istslay;
	t=1766344992; i=@i; bh=YFetgK5oZNah/qXdulHUQFZb3W8dFq54nCGNl8Q0uxQ=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To;
	b=Qv3oGo5lzbm8tufMiTuwiUhk+8HVR25ntThA6EES+IfZ+TZxLy3YwwJy3UhjdDtGZ
	 cO6H1lfwj8nFiqkCTN+ejRvtAKfwAq9kkgrPbqJHtNsEgVEC73qSKJGFuz08dQ3UHn
	 zZqrdYM6Rya3+5hJN6JZ/27LcMafCJFVk6loML4vlSyHjMGvgNRZuYszZRCHppTeSX
	 jX5KIYzUj5zSBe0U97AEO+heOtdVVfoAILQ0rlEL87XLFrmtNiQrxSzbwZW3ep48jO
	 cROIwsS691hB5oJk27AKk2Ea7JTHnLA8aUO7DS2hwsQxP4e6PINQnFLHh/fQddKTZ/
	 swE2eGbgjIHXQ==


> MOST IMPORTANTLY:   this message is NOT by Tale.  Since salesforce has 
> p=reject, this message should have been rejected by the MX!!


Please, having all the bad of DMARC and none of the good is nonsensical.


Best
Ale
--

More information about the bind-users mailing list