Thomas Cameron writes: > But then, when I do something like send email to this list, I suddenly > get a TON of error messages saying that the email failed spf tests > because it's coming from the server of the mailing list instead of my > email server. Is that normal? I would guess the mail system is behaving correctly given your server configuration. Since you don't like what's happening, you probably have a misconfiguration. But exactly what the problem is, I don't know because I don't know what you do want and you haven't provided any configuration or even quoted the error message. > It's kind of frustrating. I added the ip address of the Fedora list > server to my spf record, but that seems really hackish. And insecure. Anybody can now spoof your mail by sending it through the list's MTA. (It wouldn't stand up under close examination, I guess, but neither would most successful phishing mails.) > What do folks do to set up email with dmarc, spf, and so on? Depends on what else your server is doing, how paranoid you are, and several other things. Your DNS TXT record says "v=spf1 a:you.com ip4:1.2.3.4 ip4:5.6.7.8 ~all". Based on that and a wild guess, I think the issue is probably the "~all". While the SPF RFC doesn't specify what receivers should do on matching "~all" (aka softfail), and does say it's not sufficient to reject a message, it does imply you're asking for feedback. If you're not all that paranoid, I suggest changing "~all" to "?all". See https://datatracker.ietf.org/doc/html/rfc7208#section-8.5 for details (they're pretty gory if you're not a regular denizen of RFC-world). I can't guarantee that will reduce the error messages but it's the only thing to try with information provided. (You could also simply not use SPF and rely entirely on DKIM which has fewer failure modes.) The other WAG about the source of the error messages is that you enabled the reporting feature for DMARC. In that case I suggest you shut it off. :-) Your list posts should be well-enough protected by DKIM. Your lists can improve handling of your mail by implementing ARC, but of course that's up to them, not you. And it depends on ultimate receivers supporting ARC, too, although most of the majors already do. https://en.wikipedia.org/wiki/Authenticated_Received_Chain https://datatracker.ietf.org/doc/html/rfc8617 Steve _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
