Re: Agent and IMAP

[Greg Troxel <gdt@lexort.com>]

Divya Ranjan <divya@subvertising.org> writes:

> Greg Troxel <gdt@lexort.com> writes:
>
>> No clue about your query, but I wanted to point out that gmane use
>> causes spam filtering woes.  Your domain has a DMARC reject policy,
>> and the message as it arrived did not have a DKIM header from your
>> domain, nor was it from your domain's SPF record.
>>
>> Spamassassin says
>>
>> 	*  1.8 DMARC_REJECT DMARC reject policy
>>
>> and I can't say it's wrong.   I would say that it's not ok to use gmane
>> to messages whose From: domain has a DMARC policy (other than none).
>> Yes, that used to be normal...
>
> Can you describe more as to what the issue here is? I’m not sure how
> DMARC affects me, or my engagement with gmane-based newsgroups. With
> regards to my email domain, subvertising.org is one of the aliases
> provided by my email service, Autistici/Inventati
> (autistici.org). What exactly are the consequences of using gmane with
> domains that have DMARC policy?

DKIM is a mail standard, by which a domain publishes (in DNS) keys, and
then cryptographically signs outgoing messages, pointing to the keys via
DNS.  With a valid DKIM signature, one can have confidence that a
messsage was emitted by an authorized MTA for that domain.  (This is not
a signatture from the author, just the domain.)  Properly set up domains
(that do DKIM) sign all outgoing mail.

In 2024, domains that are not set up for DKIM are considered deficient
by any, and will have trouble sending to various large mail systems.

With DKIM, one can "welcomelist_from_dkim" and only pass mail that is
not only From: that user but also DKIM signed.  Hence forged mail from
that user won't pass and won't get welcomelisted.

DMARC is a mail standard, by which a domains publishes (in DNS) a policy
about how mail that claims to be from that domain is handled.  The
choices are basically

  don't publish a record
  none
  quarantine
  reject

The first two are more or less equivalent.  For the second two, there is
a concept of passing validation.  There are two ways to pass.  One is to
pass DKIM from that domain.  The other is to pass SPF, which means the
message was delivered from an IP address listed in the SPF record (also
in DNS).   If a message passes, it is supposed to be treated normally.
If a message does not pass, and the policy is quarantine, it is supposed
to be filed as spam.   If a message does not pass, and the policy is
reject, it is supposed to be rejected at the MTA level.

> Apologies if it has or might cause any inconvenience, I am unaware of this.

Don't feel bad -- many people are not aware of this, and it's
complicated stuff.

Your domain -- operated by your provider -- has a DMARC reject policy,
said my spam filter.  That's ok, and normal these days.   But, your
provider should have explained to you that thet *only* way you can send
mail from your domain is via their outgoing mail servers.   Not gmail,
not some other random ISP, and not gmane....

When you send mail via some other server, it will lack a DKIM signature.
And it will not arrive from autistici/inventati servers, as listed in
the SPF record.  Thus the proper response of a receiver is to reject it.

https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3asubvertising.org&run=toolpage#
https://mxtoolbox.com/SuperTool.aspx?action=spf%3asubvertising.org&run=toolpage#

yahoo/aol/verizon is notable for having a dmarc reject policy.   I
increasing expect banks etc. to have that; it protects users from mail
with forged return addresses.

Some will say that everyone should welcomelist mail from lists they are
on.  Perhaps, but I don't think that makes it ok to send non-passing
mail from a DMARC domain.

The painful details:

https://datatracker.ietf.org/doc/html/rfc6376
https://datatracker.ietf.org/doc/rfc7489/