openssl-users: DKIM, DMARC and all that jazz, and what it means to us
Lewis Rosenthal
lgrosenthal at 2rosenthals.com
Fri Feb 15 17:33:30 UTC 2019
Hi, Richard...
I'm not going to place my reply after Jakob's, as his makes a number of
excellent points, with many of which I wholeheartedly agree (I'm not big
on DKIM and DMARC, myself). However, a few points specific to the case
at hand, if I may:
Richard Levitte wrote:
> Hi all,
>
> It seem like DMARC, SPF, DKIM, or *something* is tripping us up quite
> a bit. Earlier this afternoon (that's what it is in Sweden at least),
> us postmasters got a deluge of bounce reports from mailman, basically
> telling us that it got something like this:
>
> <user at example.com>: host aspmx.l.google.com[74.125.140.26] said:
> 550-5.7.1 This message does not have authentication information or fails to
> pass 550-5.7.1 authentication checks. To best protect our users from spam,
> the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
> https://support.google.com/mail/answer/81126#authentication for more 550
> 5.7.1 information. f1si3266960wro.105 - gsmtp (in reply to end of DATA
> command)
>
> There's very little fact of what actually triggered these bounces, but
> they always come from Google, so we're guessing that they're becoming
> increasingly aggressive in their checks of DKIM, SPF, ARC, who knows
> (they don't seem to check DMARC, 'cause we do have one with p=none and
> an address to sent DMARC reports to, and I'm hearing absolutely
> nothing from Google, but I do hear from others)
>
The onus for getting the attention of the mail admins at Google needs to
be on those who use their services for mail, and not on a third party.
If this were a non-technical list (the high school soccer team
schedule), I might not expect all of the list members to be able to
discuss in technical terms with the Google mail admins what the problems
may be, but people on this list should be able to get the relevant
points across, citing RFC numbers and so forth.
I often find myself assisting other admins (aren't we all on alternating
sides of that coin?) when we have delivery problems. The biggest hurdle
is getting to the right admin on the "problem" side, which is why the
initial contact needs to come from one of their customers who has been
affected.
> So, to mitigate the problem, we've removed all extra decoration of the
> messages, i.e. the list footer that's usually added and the subject
> tag that indicates what list this is (I added the "openssl-users:"
> that you see manually).
>
I strongly encourage you to re-think this. Everyone else on this list
whose server has been properly configured to not trash legitimate
messages must now be inconvenienced by the needs of a seemingly
tone-deaf provider. (FWIW, I go through this with yahoo.com addresses
all the time; the fault lies there, not in the list configuration - so
long as the list configuration follows the applicable RFC guidelines.)
> So IF you're filtering the messages to get list messages in a
> different folder, based on the subject line, you will unfortunately
> have to change it. If I may suggest something, it's to look at this:
>
> List-Id: <openssl-users.openssl.org>
>
Yes, this can be done, but without the list ID in square brackets in the
subject, what is liable to happen is that the entire string will be
replaced along the line when thread subjects change (e.g., "blah-blah
(was: blah)") and we would all have to remember to type "openssl-users:"
in order to get "organized" subjects (yes, I know; filtering to a
particular folder on the List-Id header should effectively "organize"
list messages by corralling them, but that's not my point). Threading is
liable to go at least slightly off the rails for some of us (depending
upon mail client), and there are a host of potential side effects, all
for what? The next time Google decides to change their filters, should
list managers hop-to and make further changes?
My own thinking is that if list messages cannot proliferate across
Google's infrastructure, then those list members should find alternative
means of subscribing. Undoubtedly, this is not the only list which would
be so affected for them.
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
-------------------------------------------------------------
More information about the openssl-users
mailing list