mailing list changes

Jef Driesen jef at libdivecomputer.org
Sat Mar 7 05:28:00 PST 2020 

On 7/03/2020 13:50, Christof Arnosti via subsurface wrote:
> Can you explain this a bit more?
> 
> I think that DKIM / DMARC does exactly what it should: preventing modification 
> of mails with "MailFrom" from my domain on-the-fly.
> 
> I also have SPF configured, which should in theory also lead to a reject when my 
> domain is used as MailFrom.
> 
> With DMARC, if I understand correctly, the mail should only be threated as 
> boguous when both of these mechanisms fail at once. This is the case when the 
> subsurface-divelog.org list server modifies my mail (breaks DKIM) and sends it 
> from it own server (breaks SPF) with MailFrom ~= *@charno.ch.
> 
> I understand that this leads to problems with mailing lists, but on the other 
> hand I would think that replacing the sender address by the mailing list 
> software (like done now on subsurface-divelog.org) should be the right way to 
> deal with this problem. Honestly, I'm more curious about why your mail client 
> only displays the sender mail-address (but not always? The mail you directly 
> received from Benjamin seems fine?) instead of the name in the MailFrom-Header.
> 
> I think that DMARC / DKIM / SPF are a quite important tool in the fight against 
> mail spoofing, so I would hate to weaken or disable it.
> 
> Can you give me some recommendation on how I should configure DMARC / DKIM / SPF 
> without breaking spoof-save mailing, but still working with mailinglists 
> configured like subsurface was before?
There is an import difference between the "From" email header (which is 
displayed by the mail client), and the sender/recipient address ("mail from" and 
"rcpt to") used during the smtp communication. For SPF only the latter is 
relevant. So it would be perfectly possible to leave the From header intact:

    From: Christof Arnosti <... at charno.ch>

and send the mail from the subsurface domain:

    MAIL FROM: <subsurface at subsurface-divelog.org>
    RCPT TO: <user at domain.tld>

For SPF everything should be fine because the mail originates from the 
subsurface mail server, and the mail client will show the correct name. Or am I 
missing something? I'm certainly not an expert on mail server configuration, but 
I do run one too.

For DKIM/DMARC I don't really know.

Jef

More information about the subsurface mailing list