Score:0

I think I have a DMARC failure, posting to one list-server. The reports list my post under "forwarded," but the detail lines show mostly "reject"

do flag

I've recently implemented DMARC where I work.

Most of the list-servers work just fine, either rewriting the from address or passing my posts unchanged, so they pass DKIM. One of them appears to be a problem, though.

When I look at the DMARC report, the morning after posting to that one List, the traffic shows up as "forwarded," rather than "compliant," "non-compliant," or "threat/unknown," and when I look at the details, I get this:DMARC report screen shot

I don't know whether my traffic is going out to the list or not (though I strongly suspect the latter).

After the first failed test, and after the List owner ignored my email asking for his help, I tried adding an "a:lists.xxxxxxxxxxxx.com" clause to our SPF TXT record; the above screen shot was from a post I sent the day after I added the clause.

Any suggestions on what to try next?

Re: the comment from "Paul," turning enforcement off and getting the headers from one of my own posts might be problematical, but here are the complete headers (edited for privacy) from somebody else's recent post, if that will help:

Delivered-To: [email protected]
Received: by 2002:a2e:3503:0:0:0:0:0 with SMTP id z3csp1496776ljz;
        Fri, 25 Jun 2021 10:44:13 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJy18k71C++zpNe55rLDEJltbevs69VyzzesCMGd/8tPX/qbI0Lac5wkA5469ycwf0wg5iAc
X-Received: by 2002:a9d:80a:: with SMTP id 10mr8226253oty.192.1624643053207;
        Fri, 25 Jun 2021 10:44:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1624643053; cv=none;
        d=google.com; s=arc-20160816;
        b=uOIgfjalLyaRogOrYH1cvr6kKRXXuTcKTCRtaVZHajEKElKrec+yTJRto4GKcFkfwb
         dcAK2/ySO5Q7jwRUOhl82XUfwRkhDEgIrKGwzeLVOMU9ofPaNF3tQcDsSAtphsAqg00C
         QRhU/d0jmLe8bUzeL5I2tP9T1QD3LOxeFTJsbrOEv8EGVCyMs/D92Fb4JSh86f934F2Y
         3Nw5GU19kNAwAQLS5CZ+fS9PyyQia7Xoh/KH7b6kuSKTKjhSlYzOMbxQd9GUqW92CFdk
         LsQ6MYl3vPNEagtKRGr7mOFxFAoDvvi4+She60YTu6m5QKV0Diy96UR7gigtCC7xNu7u
         kY/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=sender:errors-to:list-subscribe:list-help:list-post
         :list-unsubscribe:list-id:reply-to:precedence:subject
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to;
        bh=5+f0Tt+6o1VY9gqg/hi3WOfyNITDoc6GvFVfwLx6Rf4=;
        b=srIV+BeEvZsdZQbD3Qt9+PC5b0mbHO4IE3858BpLyDtZXULtVSt7mg3PXy6pVSQswV
         8TjwWmUbzuXNuK0985BvvPM0k/87iWZ3e+WYcvvieOHol1sXMct3U/nK7wHDgY7kN1X2
         GkP/JXBcYx8oP4YANlq2v20J7fTPdMoS3qUJZXO5eDpn2AhFHEFqoekwSdPmZ+yNru92
         vl3N18ixf1H+3T4UR/DA9x+6ZrfEFenSlcRxoMOH+MahnNuz6XeYJmIxQZg3g4k7Ud3b
         We6EiHf0juIPlmIXVJEOY4uM2LlbbHFkRabpFl6Cg9z8rdzZOT7fP0dP/PuD1K1DvYLX
         lLQA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of [email protected] designates aaa.bbb.ccc.ddd as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from mail2.xxxxxxxxxxxx.com (mail2.xxxxxxxxxxxx.com. [aaa.bbb.ccc.ddd])
        by mx.google.com with ESMTPS id y13si7142121oih.66.2021.06.25.10.44.12
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 25 Jun 2021 10:44:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of [email protected] designates aaa.bbb.ccc.ddd as permitted sender) client-ip=aaa.bbb.ccc.ddd;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of [email protected] designates aaa.bbb.ccc.ddd as permitted sender) [email protected]
Received: from xxxxxxxxxxxx.com (xxxxxxxxxxxx.com [www.xxx.yyy.zzz])
    by mail2.xxxxxxxxxxxx.com (8.15.2/8.15.2) with ESMTP id 15PHaLsP072664;
    Fri, 25 Jun 2021 13:36:22 -0400 (EDT)
    (envelope-from [email protected])
Received: from xxxxxxxxxxxx.com (xxxxxxxxxxxx.com [www.xxx.yyy.zzz])
    by xxxxxxxxxxxx.com (8.14.4/8.14.7) with ESMTP id 15PHbRHQ032311;
    Fri, 25 Jun 2021 12:37:28 -0500 (CDT)
    (envelope-from [email protected])
X-Mailman-Handler: $Id: mm-handler 5100 2002-04-05 19:41:09Z bwarsaw $
Received: from xxxxxxxxxxxx.com (xxxxxxxxxxxx.com [www.xxx.yyy.zzz])
    by xxxxxxxxxxxx.com (8.14.4/8.14.7) with ESMTP id 15PHbPBf032295
    for <[email protected]>;
    Fri, 25 Jun 2021 12:37:25 -0500 (CDT)
    (envelope-from [email protected])
Received: from grungy.xxxxxxxxxxxx.com (grungymail@localhost)
    by xxxxxxxxxxxx.com (8.14.4/8.14.7/Submit) with ESMTP id 15PHbN4m032272
    for <[email protected]>;
    Fri, 25 Jun 2021 12:37:23 -0500 (CDT)
    (envelope-from [email protected])
X-Authentication-Warning: xxxxxxxxxxxx.com: grungymail owned process doing -bs
Received: from [127.0.0.1] (localhost [127.0.0.1])
    by grungy.xxxxxxxxxxxx.com (8.15.2/8.15.2) with ESMTP id 15PHbIUc008701
    for <[email protected]>;
    Fri, 25 Jun 2021 12:37:18 -0500 (CDT)
    (envelope-from [email protected])
To: [email protected]
References: <OF1F227294.95B6DA5A-ONC12586FE.002643EF-C12586FE.00272521@zzzzzzzzzzzzzz.it>
    <[email protected]>
    <OF16B0EB8D.A01226D6-ONC12586FF.0058F2FC-C12586FF.005B0A15@zzzzzzzzzzzzzz.it>
From: Sxxxx Kxxxxxx <[email protected]>
Message-ID: <[email protected]>
Date: Fri, 25 Jun 2021 12:37:19 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101
    Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <OF16B0EB8D.A01226D6-ONC12586FF.0058F2FC-C12586FF.005B0A15@zzzzzzzzzzzzzz.it>
Content-Language: en-US
X-Spam-Status: No, score=-1.0 required=8.0 tests=ALL_TRUSTED,HTML_MESSAGE
    autolearn=unavailable autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
    grungy.xxxxxxxxxxxx.com
Subject: Re: [Ftpapi] Rif: Re: Rif: Re: In: Re: In: HTTPAPI - Example 7 -
 Upload a file from IFS - No file attached!
X-BeenThere: [email protected]
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: FTPAPI/HTTPAPI mailing list <[email protected]>
List-Id: FTPAPI/HTTPAPI mailing list <ftpapi.lists.xxxxxxxxxxxx.com>
List-Unsubscribe: <http://xxxxxxxxxxxx.com/mailman/options/ftpapi>,
    <mailto:[email protected]?subject=unsubscribe>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]?subject=help>
List-Subscribe: <http://xxxxxxxxxxxx.com/mailman/listinfo/ftpapi>,
    <mailto:[email protected]?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1888169630713480664=="
Errors-To: [email protected]
Sender: [email protected]
Paul avatar
cn flag
I think it helps more if you can see headers from the list server. You might try setting `p=none` and then look at the headers.
Score:0
cn flag

Looks like they have Mailman 2.1.14, and according to the Mailman wiki, 2.1.16 is the first version supporting DMARC mitigation.

You could use p=quarantine, so at least users can retrieve from spam folders or set local rules. Odds are everyone on that list is already aware of this issue.

If the list has an SPF record, you could use the redirect modifier in your SPF record (e.g., redirect=lists.example.com).

If they don't have an SPF record, you could try using the ip4 mechanism in your SPF record (e.g., ip4:203.0.113.58) with the IP addresses you think they use.

Keep in mind those last two would mean someone else's server can bypass your DMARC record protections, and these records are public, after all.

On DKIM, I'm not sure because there may be a DKIM alignment issue but you didn't include an email with a DKIM signature and the domains are obfuscated.

hbquikcomjamesl avatar
do flag
"redirect" is not a mechanism; it's a modifier. https://www.mailhardener.com/blog/spf-redirect-explained
hbquikcomjamesl avatar
do flag
I *did* try an "a" mechanism clause, with the list server's domain; no joy. I have not tried a "ptr" or "ip4" mechanism clause.
Paul avatar
cn flag
Maybe the `a` record did not point back to the IP address of the sending server. Also, there is still the looming issue of DKIM. If the mailing list doesn't strip it, then I would expect a DKIM alignment issue. Thanks, I forgot that one was different, but I have read the RFC at least once some time ago and recalled the different `:` and `=`, but I think the other issues discussed in that link aren't so significant in this case, though are otherwise informative.
hbquikcomjamesl avatar
do flag
Well, there's plenty of time left on the bounty; if nobody else comes up with an immediate fix before it expires, and your answer and comments lead me to a solution, then the points are yours.
hbquikcomjamesl avatar
do flag
Right now, I've done a DNS lookup on both the "lists." and "mail2." domain names, and written down the IP addresses. I'll see if they look the same in a few days.
Paul avatar
cn flag
I would also keep watching inbound mail on that list and see what kinds of problems you can spot when a mail comes in with a DKIM record attached. Ideally, you could use a server you manage so you can disable any rejecting.
hbquikcomjamesl avatar
do flag
I've awarded the bounty, even though I haven't run any further tests, simply because you're the only one who's said anything even remotely constructive on this problem.
Paul avatar
cn flag
Thank you. I actually would have answered if you'd just pinged me as I forgot to come back after you posted the headers.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.