[sf-lug] REQUEST FOR HELP: Fwd: Mail delivery failed: returning message to sender

Rick Moen rick at linuxmafia.com
Mon Apr 27 14:44:19 PDT 2020 

Ian, I appreciate your time.  I'm actually very well briefed on this
matter.  CCing the affected mailing list.  (I'm the system
owner/operator of linuxmafia.com, and am a senior system administrator
as my profession.)


Quoting Jim Stockford (jim at well.com):
> On 4/26/20 8:35 PM, Ian Sidle wrote:
> >Hi Jim,
> >
> >According to the help article, it looks like it is asking for for
> >these four things
> >
> > 1. For mailing lists, also known as "listservs," you should change
> >    your sending behavior by adding the mailing lists’ address to the
> >    "From:" line, rather than the sender’s address. - I think this is
> >    okay...?

This is possible only with a much-later version of GNU Mailman than my system
presently runs.  That will become an option only after I complete a
server migration to entirely new hardware and software.  To be
accomplished, but not immediately.


> > 4. Setup DMARC - MISSING record
> >working either.
> >https://mxtoolbox.com/SuperTool.aspx?action=mx%3alinuxmafia.com&run=toolpage

I will consider (below) adding a (proper) DMARC reference record.  More
about this below.


> > 2. Setup a SPF record - appears valid

Yes, I have had a strongly asserted SPF reference record since the early
2000s, in part because I've found that SPF is a competently drafted,
properly implemented antiforgery extension, in which I have confidence.

> > 3. Setup a DKIM Record - MISSING? [Email header said dkim=none (no
> >    signatures found); on my end]

In my considered professional view, DKIM is a badly drafted abortion of
a pseudostandard:  Yahoo screwed up its drafting, with adverse effects
all over the Internet.  I object to it, and I decline to implement any
part of it on my server.

I will point out that even Yahoo, its inventor and stakeholder, doesn't
consider DKIM obligatory.



Back to DMARC.  DMARC is a formally defined as a superset of _either_
SFP or DKIM or both; like DKIM, DMARC is a Yahoo invention.  I have
basically no confidence in DMARC, considering it (like DKIM) a botched
pseudostandard and an excellent example of Second System Effect.

For the record, contrary to what that CGI claimed linuxmafia.com _does_
have a DMARC DNS record.  It exists but has been deliberately
DMARC-non-compliant for some years, now:

$ dig -t txt _DMARC.linuxmafia.com +short
"DMARC: tragically misdesigned since 2012.  Check our SPF RR, instead."
$

The above has been a multi-year public nose-thumbing and expression of 
non-confidence aimed  at Yahoo and at DMARC.  But, fine, I'm giving a
real, compliant DMARC record a try at least for a while, starting right
now.  As I am drafting this, I'm substituting the above out and going 
live with the update.  New RR:

dig -t txt _DMARC.linuxmafia.com +short
"v=DMARC1\; p=none\; rua=mailto:hostmaster at linuxmafia.com\; ruf=mailto:hostmaster at linuxmafia.com\; fo=1"
$

DMARC is still botchware, but it is now minimally implemented at
linuxmafia.com:  According to Yahoo's formal definition of this cruddy
and incompetent standard, existence of a valid SPF RR plus a valid DMARC
RR means the site is DMARC-compliant, without needing to publish an
explicit DMARC policy or a need to implement DKIM.

If that changes, and Yahoo attempts to strongarm third-party sites to
implement DKIM or to implement a specific DMARC policy, then they can
just breathe dust.

More information about the sf-lug mailing list