Mailing lists SPF DKIM DMARC setup
Last day I saw Ruby-talk mailing list had some issues on delivery due to adding list footer.
A modern email system requires SPF, DKIM and DMARC to be setup correctly. But for mailing lists these options are not easy to implement right.
As we know, mailing list is a forwarding system, it must follow SPF policy at first. For this purple, SRS must be implemented for forwarded messages. Without correct SPF, most email systems will reject the messages sent from list server.
SRS has no helps to DMARC, because DMARC is designed for user's sender address, not the list address. List server has implemented SRS for sender rewrite, but this behavior makes no contribution to DMARC.
DMARC requires two options to be setup, one is SPF, another is DKIM. Since SPF has no helps, it depends on DKIM now. But sorry most list servers changed the message bodies, such as adding a footer for signature. That will break DKIM.
Now DKIM breaks, SPF has no helps, DMARC will fail entirely. This sucks since DMARC is so important in modern email delivery. Many big providers have setup DMARC policy to "reject" on failure such as these ones:
_dmarc.mail.ru. 600 IN TXT "v=DMARC1;p=reject;rua=mailto:dmarc_rua@corp.mail" ".ru;"
_dmarc.yahoo.com. 1800 IN TXT "v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com;"
_dmarc.zoho.com. 600 IN TXT "v=DMARC1; p=reject; sp=reject; fo=0; rua=mailto:dmarcaggregation@zoho.com; ruf=mailto:dmarcaggregation@zoho.com"
So my suggestion for mailing lists include,
- Must have SRS setup, othersie it will break SPF.
- Do not change the original messages including body, subject, recepient etc, it will break DKIM.
- If above change is must, use ARC as the fix way.
Here are the references:
DomainKeys Identified Mail (DKIM)
Domain-based Message Authentication, Reporting and Conformance (DMARC)