From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: from mx1.math.uh.edu (mx1.math.uh.edu [129.7.128.32]) by inbox.vuxu.org (Postfix) with ESMTP id C73F228505 for ; Sat, 12 Oct 2024 01:36:38 +0200 (CEST) Received: from lists1.math.uh.edu ([129.7.128.208]) by mx1.math.uh.edu with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1szPBU-00000000oWV-3g0y for ml@inbox.vuxu.org; Fri, 11 Oct 2024 18:36:36 -0500 Received: from lists1.math.uh.edu ([127.0.0.1] helo=lists.math.uh.edu) by lists1.math.uh.edu with smtp (Exim 4.97.1) (envelope-from ) id 1szPBS-00000005Lua-2u1Z for ml@inbox.vuxu.org; Fri, 11 Oct 2024 18:36:34 -0500 Received: from mx2.math.uh.edu ([129.7.128.33]) by lists1.math.uh.edu with esmtp (Exim 4.97.1) (envelope-from ) id 1szPBQ-00000005LuT-3NKW for ding@lists.math.uh.edu; Fri, 11 Oct 2024 18:36:32 -0500 Received: from quimby.gnus.org ([95.216.78.240]) by mx2.math.uh.edu with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.98) (envelope-from ) id 1szPBP-0000000HWec-1o38 for ding@lists.math.uh.edu; Fri, 11 Oct 2024 18:36:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnus.org; s=20200322; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID :Date:References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=k5RE0V7e3WwwCFkc1/Q43arSIa/B80A0tMzPp8mcJVU=; b=BLXkFD4GvPhKeKu5TlwwQyPn2t Kiu/Ezs0o5N+t8tsP6CZesZgXGMyFxtdg8cOBtPN2JJFyYVJDf8NeBBL4Dsenw1JdpM8l8K5l2arj /gBO2Lo6S5Pdra4HSWyGnjgqDa7wBGLoEGx/kx5xapn+vi3EqHWL1EvUyA0HZFZrhXig=; Received: from s1.lexort.com ([2605:2700:0:2:a800:ff:fe4b:be00]) by quimby.gnus.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1szPBI-0005UY-Ce for ding@gnus.org; Sat, 12 Oct 2024 01:36:27 +0200 Received: by s1.lexort.com (Postfix, from userid 10853) id C22844106EA; Fri, 11 Oct 2024 19:36:21 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lexort.com; s=mail; t=1728689781; bh=8WdMKg8c0WsNMr3aCqd7+e4qXhYrWn+aEcsFqihRv98=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=bFNrp97ffkAmHRj4BZNIi6hHXinQb/TGoV16hI1XWV9RS2tinalBRIJd9LxoS1BWG lGgwrZ+JGI4RiX1rqUjNrkGJeSM7BXM3O4t8qLRJOWUecM55SGXbfrT8icVeQEd1+h VFFGHxrimMVzP0M/4mGqeBbX9KGlEYzTJ1vXTIRI= From: Greg Troxel To: Divya Ranjan Cc: ding@gnus.org Subject: Re: Agent and IMAP In-Reply-To: <875xpyqlvn.fsf@subvertising.org> (Divya Ranjan's message of "Fri, 11 Oct 2024 23:07:40 +0000") References: <874j5is2i8.fsf@subvertising.org> <875xpyqlvn.fsf@subvertising.org> OpenPGP: id=098ED60E Date: Fri, 11 Oct 2024 19:36:21 -0400 Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-ID: Precedence: bulk Divya Ranjan writes: > Greg Troxel writes: > >> No clue about your query, but I wanted to point out that gmane use >> causes spam filtering woes. Your domain has a DMARC reject policy, >> and the message as it arrived did not have a DKIM header from your >> domain, nor was it from your domain's SPF record. >> >> Spamassassin says >> >> * 1.8 DMARC_REJECT DMARC reject policy >> >> and I can't say it's wrong. I would say that it's not ok to use gmane >> to messages whose From: domain has a DMARC policy (other than none). >> Yes, that used to be normal... > > Can you describe more as to what the issue here is? I=E2=80=99m not sure = how > DMARC affects me, or my engagement with gmane-based newsgroups. With > regards to my email domain, subvertising.org is one of the aliases > provided by my email service, Autistici/Inventati > (autistici.org). What exactly are the consequences of using gmane with > domains that have DMARC policy? DKIM is a mail standard, by which a domain publishes (in DNS) keys, and then cryptographically signs outgoing messages, pointing to the keys via DNS. With a valid DKIM signature, one can have confidence that a messsage was emitted by an authorized MTA for that domain. (This is not a signatture from the author, just the domain.) Properly set up domains (that do DKIM) sign all outgoing mail. In 2024, domains that are not set up for DKIM are considered deficient by any, and will have trouble sending to various large mail systems. With DKIM, one can "welcomelist_from_dkim" and only pass mail that is not only From: that user but also DKIM signed. Hence forged mail from that user won't pass and won't get welcomelisted. DMARC is a mail standard, by which a domains publishes (in DNS) a policy about how mail that claims to be from that domain is handled. The choices are basically don't publish a record none quarantine reject The first two are more or less equivalent. For the second two, there is a concept of passing validation. There are two ways to pass. One is to pass DKIM from that domain. The other is to pass SPF, which means the message was delivered from an IP address listed in the SPF record (also in DNS). If a message passes, it is supposed to be treated normally. If a message does not pass, and the policy is quarantine, it is supposed to be filed as spam. If a message does not pass, and the policy is reject, it is supposed to be rejected at the MTA level. > Apologies if it has or might cause any inconvenience, I am unaware of thi= s. Don't feel bad -- many people are not aware of this, and it's complicated stuff. Your domain -- operated by your provider -- has a DMARC reject policy, said my spam filter. That's ok, and normal these days. But, your provider should have explained to you that thet *only* way you can send mail from your domain is via their outgoing mail servers. Not gmail, not some other random ISP, and not gmane.... When you send mail via some other server, it will lack a DKIM signature. And it will not arrive from autistici/inventati servers, as listed in the SPF record. Thus the proper response of a receiver is to reject it. https://mxtoolbox.com/SuperTool.aspx?action=3Ddmarc%3asubvertising.org&run= =3Dtoolpage# https://mxtoolbox.com/SuperTool.aspx?action=3Dspf%3asubvertising.org&run=3D= toolpage# yahoo/aol/verizon is notable for having a dmarc reject policy. I increasing expect banks etc. to have that; it protects users from mail with forged return addresses. Some will say that everyone should welcomelist mail from lists they are on. Perhaps, but I don't think that makes it ok to send non-passing mail from a DMARC domain. The painful details: https://datatracker.ietf.org/doc/html/rfc6376 https://datatracker.ietf.org/doc/rfc7489/