Note: we are talking about @fedoraproject.org aliases here. mailing lists already mitigate this as you note. On Thu, Jan 16, 2025 at 10:11:22PM +0000, Daniel P. Berrangé wrote: > > NB, the "From" rewriting with "via devel" is generally only needed > if someone's domain has configured SPF and DMARC, but has *not* also > configured DKIM. > > DMARC checks pass if either SPF or DKIM checks pass. So as long as > Fedora's forwarding logic *keeps* the existing DKIM signature, and > does not touch any part of the mail covered by the DKIM signature, > it shouldn't matter if SPF fails. I'd have to look if this is the case in alias expansion or not. > > When debugging people's broken mail servers I usually end up > pointing them to this: > > https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html > > NB Fedora could optionally also add its own DKIM signature, as long > as it preserves the senders original DKIM signature. Yes, but for lists we add footers and other things, so the orig signature is bad already. But it doesn't matter as for mailing lists we sign with our own DKIM. > I would just say any domain with SPF + DMARC, but without DKIM just > has a broken mail config & not our problem. All use of mailing lists > is doomed in that scenario unless every list takes countermeasures > to rewrite From. Not worth the hassle for Fedora IMHO. mailing lists, IMHO, are fine. They mitigate things. email aliases however, do not. kevin
Attachment:
signature.asc
Description: PGP signature
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
