Dist. List forwarding and DMARC Reject circumvention. Will this pattern work?
I would be grateful if someone could vet and verify (or guide otherwise) the following pattern please.
With the major mail vendors move to DMARC - Full Reject, I have a small challenge.
- We have a number of 365 Distribution List addresses.
- These lists accept email from anyone and, currently, then forward those emails onto list members.
- List members, however, are NOT necessarily email addresses within the list's mail domain. They might be outlook.com, Gmail, yahoo, Hotmail, username@local.ISP.
Consequently, DMARC Reject policies are causing these emails to be marked spam as the 365 Dist. List forwarding is not doing any header manipulation.
My thinking is:
- I could set up a Mailman list (elists.mydomain.com) alongside the 365 Exchange mail domain (mydomain.com)
- I leave inbound mail deliver to the 365 Dist. lists.
- I reconfigure the (mylist@mydomain.com) Dist. Lists to fwd to a similarly-named Mailman address at the email sub-domain (mylist@elists.mydomain.com)
- The Mailman list, by virtue of having to use the 365 MTA, should be able to accept all inbound from the list (mylist@mydomain.com).
- Mailman would then need to re-write the mail headers such that the inbound email to-be-forwarded from the Mailman list, both appears to come from the (mylist@mydomain.com) address, and also has the 365 'mydomain.com' SPF and DKIM records. And given Mailman has to use the 365 MTA, it would actually be coming from that main mail domain.
- Somewhere in there, the original sender's email address would need to be included, such that a Reply-to-All from a receiving List member would not only go back to the List, but also the original sender.
My thinking is that with this pattern, I don't need to worry about inbound emails to the list address as that would simply continue to function as normal, and fwdd mails from the List to recipient list members would not be marked spam as the headers would all be good.
Is my thinking good? Or am I out of my cotton-pickin' mind?
On Sun, Aug 25, 2024 at 4:32 PM <titan160@hotmail.com> wrote:
I would be grateful if someone could vet and verify (or guide otherwise) the following pattern please.
With the major mail vendors move to DMARC - Full Reject, I have a small challenge.
- We have a number of 365 Distribution List addresses.
- These lists accept email from anyone and, currently, then forward those emails onto list members.
- List members, however, are NOT necessarily email addresses within the list's mail domain. They might be outlook.com, Gmail, yahoo, Hotmail, username@local.ISP.
Consequently, DMARC Reject policies are causing these emails to be marked spam as the 365 Dist. List forwarding is not doing any header manipulation.
My thinking is:
- I could set up a Mailman list (elists.mydomain.com) alongside the 365 Exchange mail domain (mydomain.com) [0]
- I leave inbound mail deliver to the 365 Dist. lists. [1]
- I reconfigure the (mylist@mydomain.com) Dist. Lists to fwd to a similarly-named Mailman address at the email sub-domain ( mylist@elists.mydomain.com) [2]
- The Mailman list, by virtue of having to use the 365 MTA, should be able to accept all inbound from the list (mylist@mydomain.com). [3]
- Mailman would then need to re-write the mail headers such that the inbound email to-be-forwarded from the Mailman list, both appears to come from the (mylist@mydomain.com) address, and also has the 365 'mydomain.com' SPF and DKIM records. And given Mailman has to use the 365 MTA, it would actually be coming from that main mail domain. [4]
Aren't you creating a mail loop already? Where is MM3 sending the email to after receiving it (and supposedly modifying the headers)? And at this point [4], what are you trying to do that's different from what's already happening? The best way would be to have MM3 replace the From: addresses with its own address. Isn't DMARC mitigation what you want?
- Somewhere in there, the original sender's email address would need to be included, such that a Reply-to-All from a receiving List member would not only go back to the List, but also the original sender.
That's what I see happening whenever I hit Reply-to-All on this MM3 list.
My thinking is that with this pattern, I don't need to worry about inbound emails to the list address as that would simply continue to function as normal, and fwdd mails from the List to recipient list members would not be marked spam as the headers would all be good.
I would move everything from o365 distribution lists and just have those on MM3 on a subdomain.
Is my thinking good? Or am I out of my cotton-pickin' mind?
I am not saying your thinking is good or bad. 365 Exchange Admins will be able to help with that. My only issue is that you're complicating life for nothing. If you can have a subdomain with independent MX records, then why not just get the distribution lists out of 365 Exchange? You mentioned that they are 'Open' so what is the reason you're keeping them on 365 Exchange?
- Run MM3 on lists.mydomain.com
- Create a list named distlistname1 on MM3 and add all the addresses on that distribution list to this MM3 list.
- Have distlistname1@mydomain.com subscribed to the MM3 list above
- Have distlistname1@mydomain.com forward all the mails to distlistname1@lists.mydomain.com. The MM3 list will then do the necessary. In all these steps, what you have avoided is just getting everyone to use distlistname1@lists.mydomain.com - which is all you needed anyway.
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
participants (2)
-
Odhiambo Washington -
titan160@hotmail.com