I have analysed all the DMARC reports I have received so far and:- SPF check failures only happen when I post to a mailing list (NetBSD or DragonFly).
- Most of the time, it doesn't matter if SPF check fails. Some servers even report they understand the message is coming from a mailing list:
<comment>looks forwarded, not quarantined for DMARC</comment> or <comment>Policy ignored due to local mailing list policy</comment>- On the 24 reports I have analysed, only 2 reported quarantine dispositions when *both* DKIM and SPF checks failed.
Here is an example: <record> <row> <source_ip>199.233.217.200</source_ip> <count>1</count> <policy_evaluated> <disposition>quarantine</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>defert.com</header_from> </identifiers> <auth_results> <spf> <domain>netbsd.org</domain> <result>pass</result> </spf> </auth_results> </record> <record> <row> <source_ip>199.233.217.200</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>defert.com</header_from> </identifiers> <auth_results> <dkim> <domain>defert.com</domain> <result>pass</result> </dkim> <spf> <domain>netbsd.org</domain> <result>pass</result> </spf> </auth_results> </record> In the end, you're right, there is probably no need to worry about this. On 09/11/2020 13:49, Greg Troxel wrote:
Vincent DEFERT <20.100%defert.com@localhost> writes:I'm receiving DMARC reports such as the one below. The 199.233.217.200 source_ip points at mail.netbsd.org.Presumably you have configured your own domain for DMARC/DKIM/SPF.My understanding is that when NetBSD's mailing-list software forwards my posts to other subscribers, it keeps my email as sender address instead of replacing it with netbsd-users%netbsd.org@localhost. And because mail.netbsd.org is not listed in my SPF record (of course), those forwarded emails are considered as spam. Am I correct?No. The From: remains you (as it should) and the MAIL FROM (aka Return-Path:) is set to a NetBSD.org address, so that bounces go to the list software, not the author. SPF is required to check Return-Path: rather than From:. I suggest you read this in its entirety, but see especially 1.1.3, 2.3, 2.4, 11.2: https://tools.ietf.org/html/rfc7208 Your message (that I am replying to) arrived at my server and passed both SPF and DKIM validation. It could be that some validators are not doing SPF correctly. I note that in your report there also seem to be DKIM failures. But your message and Ottavio's both passed DKIM at my verifier. Are you finding that every DMARC verifier fails? Or just some?