Will mailing lists "break" if SPF is too restrictive?

security email spf dkim smtp

E-Mail security sucks. So in the end, you're probably going to be faced with a decision where all your options are terrible, and break different things for different reasons.

As for SPF specifically, a mailing list will cause a failure if it forwards a message, without rewriting the headers. A list can configure itself to work however it pleases, so there isn't a good general answer. But if messages from a list appear to come from the list itself, it's rewriting headers. If it appears to come from the sender, probably not. In general, mailing lists should work well with SPF on its own. Regular mail forwarding, on the other hand, will not.

When it comes to DKIM, any modifications to the message will cause a failure. This almost always occurs with a mailing list. So DKIM will usually bomb with mailing lists. But mail forwarding should be OK.

On top of it all, you've implemented DMARC. This is essentially a reporting infrastructure wrapped around DKIM and SPF. It works best if you implement both both authentication measures, but will also work fine with just one. You can configure DMARC to communicate a drop request for your messages, but more importantly, you can specify an address to receive success/failure reports. These are supported by most of the major E-Mail receivers. (GMail, Hotmail, Yahoo) This can give you insight on what messages are failing SPF checks, and why. Use this to inform your -all vs ~all decision.

Unfortunately, the DMARC specification requires alignment between the Sender domain and the SPF record that gets checked. In your case, the mailing list's SPF is being checked, and passes, but doesn't align with your domain. So DMARC bombs. Here's a reference from a mailing list administrator griping about as much.

The conclusion is the same as my opening sentence: E-Mail security Sucks. And all of your options suck too. IMHO, mailing lists suck as well, and life would be better if we replaced them. ;-)


I've not looked at the DKIM part.

Concerning the SPF record I see the following used in most example:

v=spf1 mx -all

This is documented here: http://www.openspf.org/SPF_Record_Syntax

However "+mx" should also be correct according to RFC 7208 (Thanks Chris for pointing this out). Maybe it is stil worth a try...

I really don't know what to suggest otherwise... double check all your DNS record (A / PTR / MX). You probably already did so. Knowing the actually domain name might help people troubleshoot - at least if DNS related.


Turns out there doesn't seem to be anything wrong with my configuration. What's happening is that my messages are being processed by mailman correctly, and being relayed out to the list. There are a couple of receivers however which (for whatever reason is unique to them) reject the message. Because I have actually correctly configured SPF, I'm seeing the rejection message from those destination SMTP servers, not from the Mailing List relay itself.

Some awesome folks in the Arch community helped me chase this one down, as they had access to said ML server.

Related

"sudo service nginx start" fails but "sudo nginx" works - can't figure out why
get server stats from a specfic time
Nginx as a proxy server for a local network
No space left on device error, but df reports as more space available
Install Debian Backports kernel automatically
Can I detect if the SSL client doesn't support Server Name Indication and provide the standard HTTP website in that case?
"net.c:577: sendmsg() failed: Operation not permitted" in dig Output
Do I need a CPU that supports Virtuallization to do Containerization?
Missing nameservers reported by parent and your nameservers
HaProxy - 502 Bad Gateway : HTTP spoken on HTTPS port
Reset GID/UID auto-increment numbers
Install sqlite latest version on Centos6.7