On 2023-01-05 08:55, Jan Eden via Mailman-users wrote:
On 2023-01-04 15:07, Mark Sapiro wrote:
On 1/4/23 14:02, Jan Eden via Mailman-users wrote:
Although I could specify the IP address in my SPF records directly (as you suggested), I do hope that my understanding of DNS records laid out above is not entirely misguided. My current setup does work as expected for eden.one, after all.
As I said at <https://lists.mailman3.org/archives/list/mailman-users@mailman3.org/message/A37ELNBFLROFRYXKE3HX5OMLN37XEHQ7/> I was misreading your DNS and now I am as puzzled as you about the failure.
It gets even more mysterious. I tried sending messages from both lists.eden.one and janeden.net (my other domain) to a gmail account and to another mail provider. Both messages passed the SPF checks on both services (s. the relevant headers quoted below). Now because I send those messages via my SMTP user (smtpuser@eden.one) and use SRS, the SPF check operates (and succeeds) on e.g. srs0=jdm+=5c=lists.eden.one=testlist-bounces+gmailuser=googlemail.com@eden.one (and not on somethingsomething@lists.eden.one or somethingsomething@janeden.net). Could this be the reason for the failed SPF checks in Yahoo's and Google's DMARC reports?
There was never a mystery, just my complete ignorance wrt DMARC and alignment[1]. Changing the DMARC DNS entry for lists.eden.one (more specifically, the aspf tag) solved the issue:
<policy_published> <domain>lists.eden.one</domain> <adkim>s</adkim> <aspf>r</aspf> <p>quarantine</p> <sp>quarantine</sp> <pct>75</pct> </policy_published> <record> <row> <source_ip>123.123.123.123</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated> </row>
For other domains, I would need to turn off SRS, which is not possible for independent reasons.
- Jan