Thomas Cameron writes: > But my point is, setting up spf works as expected. I've verified it via > my emails to known correctly configured mail servers like GMail. What I > don't understand is why, when it is apparently set up correctly, are > there mail servers which throw errors when I send email through a > mailing list. Is it a misconfiguration of the mailing list? The mailing list can't do anything about this. It's entirely a conversation between your server and the recipient's. SPF provides a list of authorized IPs. If you put your mailing lists' hosts in there, they're authorized, and the recipient should accept. If you don't, they're not authorized, and the recipient should reject. That's the basic idea in a nutshell. > Is it a misconfiguration of the receivers? No, it's a misunderstanding of what SPF can do. SPF was designed for what IETF mail geeks call "transactional mail flows", such as between you and your bank. By having their own mail server, and mailing you directly from that server, you can have pretty high confidence that it's from your bank, as typical script kiddies are unlikely to be able to spoof your bank's IP. But third-party mailing lists obviously break this model. So if you want to post to mailing lists you must not have their servers match "-" or "~" entries in your SPF configuration (including "all"). What in theory could work is DKIM, which depends on cryptographic signatures, not on (somewhat spoofable) IP source addresses, and therefore is designed to work for indirect mail flows, that have a relay host between your server and the recipient. Unfortunately, DKIM signatures are typically broken by mailing lists because they usually include Subject (which mailing lists add tags and serial numbers to) and the whole body (which mailing lists frequently add footers to). Users have different opinions about tagging Subject, but almost everybody likes footers, especially list admins. *sigh* ARC helps with this by implementing a "transitive trust" model. If a recipient trusts lists.fedoraproject.org, and they say your DKIM verified, this solves both the breakage of your DKIM signature and the DMARC From mismatch because the recipient will use the results from the mailing list's MTA instead of its own for authenticating you. > Why are they failing when I send them through an email list server? Because that's the whole point of SPF. If you do not explicitly authorize an IP to send your email, you want mail coming from that IP to be considered a spoof. That's how SPF provides security, that's the whole design. For a normal individual who does lots of "stuff" with mail from their server, the value in SPF is that when you send *direct* mail, the recipient can be pretty sure that it's someone with a valid account on your server. > What is the misconfiguration that you are saying I have? Using "-all" or "~all" in your SPF configuration. They are saying "reject mail whose last hop source IP isn't explicitly authorized", with "~all" being less strict but any receiver is within their rights to reject (for example, you probably want your bank and your customers to do so, right?) If you use "?all" (or no "all" at all), you're saying "you can trust mail direct from my server to be me, but sometimes I send indirect mail, so use your best judgment if it's not direct from my server." You might think "but why not check the Received fields for my server?" Unfortunately that's very easily, and very frequently, spoofed -- unless you sign them, which is exactly what ARC does. Steve _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
