nanog mailing list archives

Re: is it just me or...

From: Bjørn Mork via NANOG <nanog () lists nanog org>
Date: Sun, 25 May 2025 19:16:19 +0200

Tom Ivar Helbekkmo via NANOG <nanog () lists nanog org> writes:

SPF broke forwarding, both for individual recipients, and through email
distribution lists, because the forwarding server wasn't on the list.


This is not entirely precise.  It broke traditional alias forwarding,
where the forwarding server would reuse the original envelope sender.
But SPF does not break forwarding as long as the forwarding server use
its own proxy envelope sender.  Mailing lists have traditionally
"always" done this, even before SPF. Remember the "owner-" aliases?

If the domain in the
"From:" header matches the domain where the public key is stored, the
recipient knows that the email was DKIM signed by a mail server trusted
by the sending domain (since it must have the private key).  It can,
therefore, assume that the email really is from the "From:" address, and
has not been modified along the way.


Yes, so this also works through a forwarding mail server, provided it
only changes the envelope. Older mailing list software broke because it
messed around with the message content, but that was completely
unnecessary.  And good to get rid of.  Injecting some additional mailing
list headers is still fine, and will not break DKIM.

DMARC, finally, ties these things together.  It lets you publish, once
again using DNS, a few policy options for the handling of SPF and DKIM,
for what you want done with the email, and for reporting back to you
what was done, and why.  DMARC requires either SPF or DKIM to pass, and
you can choose whether you want the recipient system to quarantine or
simply refuse email that fails to pass at least one of them.


The big problem with DMARC is that it ties SPF to the From header field,
so changing the envelope sender will not work anymore.  This forces the
forwarder to mess with the From field to align it with a SPF valid
envelope.  Which again will break any existing DKIM signature.  Which of
course can be worked around by adding another DKIM signature.

DMARC is broken by design.  SPF and DKIM worked fine alone.


Bjørn

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/PCS7AB6BHYMNMPRQRQDX5PXQS2NYWSBB/

Current thread:

Re: is it just me or..., (continued)
- - - Re: is it just me or... John R. Levine via NANOG (May 27)
    - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... Noel Butler via NANOG (May 28)
  - Re: is it just me or... Rich Kulawiec via NANOG (May 27)
    - Re: is it just me or... Tom Ivar Helbekkmo via NANOG (May 27)
    - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... John Levine via NANOG (May 27)
    - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... Tom Ivar Helbekkmo via NANOG (May 27)
    - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... Bjørn Mork via NANOG (May 27)
    - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... Tom Ivar Helbekkmo via NANOG (May 27)
    - Re: is it just me or... Bjørn Mork via NANOG (May 27)
- Re: is it just me or... Aaron Gould via NANOG (May 27)
- Re: is it just me or... Mark Tinka via NANOG (May 27)
  - Re: is it just me or... Hank Nussbacher via NANOG (May 27)
    - Re: is it just me or... nanog--- via NANOG (May 27)
    - Re: is it just me or... nanog--- via NANOG (May 27)
- Re: is it just me or... Josh Reynolds via NANOG (May 27)
- Re: is it just me or... Niels Bakker via NANOG (May 27)

(Thread continues...)