<div dir="ltr"><div class="gmail_extra">Almost, but not quite…</div><div class="gmail_extra"><br><div class="gmail_quote">On 11 November 2016 at 11:44, Stewart Campbell <span dir="ltr"><<a href="mailto:Stewart.Campbell@pulsion.co.uk" target="_blank">Stewart.Campbell@pulsion.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">The failing for the ‘on behalf of’ issue is actually DKIM – I checked that earlier. Then because there was no SPF record for <a href="http://zend.to" target="_blank">zend.to</a>
and DKIM failed, DMARC quarantined the mail.</span></p></blockquote><div><br></div><div>Previously the messages lacked both a valid SPF record and a DKIM-Signature header. Both being missing meant that Google was flagging list messages with a red warning question mark.</div><div><br></div><div>(If there's no DKIM-Signature header present the receiving site has no way of knowing whether it should have been there, as the DKIM-Signature header provides the "d=" and "s=" data to form the DNS name to look up to retrieve the public key. No DKIM-Signature header = no DNS lookup.)</div><div><br></div><div>There's no DMARC policy published for the <a href="http://zend.to">zend.to</a> domain, so the receiving site can't apply a DMARC policy/quarantine the incoming message because of it.</div><div><br></div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="color:windowtext;font-family:Calibri,sans-serif;font-size:11pt">Now you have set the SPF for </span><a href="http://zend.to" target="_blank" style="font-family:Calibri,sans-serif;font-size:11pt">zend.to</a><span style="color:windowtext;font-family:Calibri,sans-serif;font-size:11pt">, SPF should pass and DKIM will still fail, but this will mean that DMARC will pass. Everything
should be ok now. Assuming the DNS change has propagated then this email should no longer be quarantined.</span><br></p></blockquote></div><br>What I'd suggest is:</div><div class="gmail_extra"><ol><li>Correct the SPF record for <a href="http://zend.to">zend.to</a> to include all of the outgoing servers' IP addresses; currently it's missing some.<br><br></li><li>Add a DKIM signature to messages signed using "d=<a href="http://zend.to">zend.to</a>"; this will help messages get delivered, especially if they're forwarded through a non-SRS capable server (which will break the SPF test).<br><br></li><li>Probably continue not publishing a DMARC record… Creating one would have to rely solely on the SPF test passing (which can fail if forwarding/other mailing lists are involved).<br><br>You can't get the DMARC-enhanced DKIM test to pass as it requires the domain of the DKIM-Signature header to align with the address in the "From:" header. As the latter is currently the email address of whichever member sent the message to the list they won't align.</li></ol><div>DMARC and mailing lists don't play nicely unless the mailing list software is a recent version and configured to be DMARC friendly. Typically the rewrite the "From:" header to put the sender's name and address into the textual name field, then use an address from the mailing list's own domain in the "From:" header's actual email address. Recent versions of GNU Mailman etc can do this.</div><div><br></div><div>If it's not done then life is going to get… interesting… for people like myself. We're planning to publish a strict DMARC policy in 2017 saying that only servers listed in our SPF record or with <a href="http://york.ac.uk">york.ac.uk</a> DKIM signatures are authorised to use "@<a href="http://york.ac.uk">york.ac.uk</a>" addresses in our "From:" headers. As it stands I'm not sure how that "the <a href="http://zend.to">zend.to</a> list breaks this requirement" will fir with "but the list's own SPF details pass as it's using an '@<a href="http://zend.to">zend.to</a>' in the envelope MAIL FROM"!</div><div><br></div><div>So you might find my posts to the list suddenly start being quarantined.</div><div>(OK, who was that cheering!!)</div><div class="gmail_extra"><br></div>Cheers,</div><div class="gmail_extra">Mike B-)<br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><font color="#666666">Systems Administrator & Change Manager</font></div><div><font color="#666666">IT Services, University of York, Heslington, York YO10 5DD, UK</font></div><div><font color="#666666">Tel: +44-(0)1904-323811</font></div><div><font color="#666666"><br></font></div><div><font color="#666666">Web:<span style="white-space:pre"> </span><a href="http://www.york.ac.uk/it-services" target="_blank">www.york.ac.uk/it-services</a></font></div><div><font color="#666666">Disclaimer:<span style="white-space:pre"> </span><a href="http://www.york.ac.uk/docs/disclaimer/email.htm" target="_blank">www.york.ac.uk/docs/disclaimer/email.htm</a></font></div></div></div>
</div></div>