> Date: Sunday, October 27, 2019 12:17:36 +0000 > From: sebb <sebbaz@xxxxxxxxx> > >> On Sun, 27 Oct 2019 at 09:32, Richard >> <lists-apache@xxxxxxxxxxxxxxxxxxxxx> wrote: >> >> I agree, there are a range of reasons that a receiving host might >> reject a message. When you add in DMARC - because the headers >> aren't rewritten - the chances of rejects, and because of that >> that someone will get kicked off a list, increase dramatically (at >> least for those of us whose ESPs enforce DMARC). >> >> Indeed, the headers on that message don't include any DMARC >> references, and that's the problem. The sender's host/domain >> (helios.jpl.nasa.gov) has DMARC set to "p=reject": >> >> dig txt _dmarc.helios.jpl.nasa.gov >> >> ;; ANSWER SECTION: >> _dmarc.helios.jpl.nasa.gov. 569 IN TXT "v=DMARC1; p=reject; >> >> which means that messages that purport to be from that host/domain >> can't be seen to be being sent from "just anywhere". Because the >> sender's message was (re-)sent from an "apache.org" domain/IP it >> failed DMARC which got it rejected from DMARC-enforcing ESPs. >> >> For anyone using a DMARC-enforcing ESP (of which gmail is one), >> it's fairly routine to get kicked off (or threatened with removal >> from) lists that don't do the necessary rewriting -- which seems >> to include most (all?) of the "apache.org" hosted lists. > > I see, thanks for the clear explanation. > > I've just checked the DMARC filter, and whilst it removes the DKIM > signature, it is also supposed to munge the From line to append > '.INVALID'. > > This does not appear to have happened. > > The script assumes that the DKIM header comes before the From line; > maybe that was not the case here. > > I assume the From rewriting is intended to disable the DMARC check > at the receiving end. > > There are several examples of the From munging on the list, e.g. > > http://mail-archives.apache.org/mod_mbox/httpd-users/201910.mbox/%3 > c158c6a04-ef01-2fce-bf33-aabc673bbae1@xxxxxxxxxxxxxxxxxxxx%3e > The '.INVALID' "From" rewrite works, at least with my DMARC-enforcing ESP, when it's invoked. I got the message you referenced above, as well as about 20 others, from this list over the course of the last ~4 months that were munged that way. The filter is missing enough, however, that I have been threatened with expulsion from this list at least once over that same period (plus 5 times from another ".apache.org" hosted one). --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|