DMARC problems
From: Eric Beavers ------------------------------------------------------ I'm getting reports that I'm not sure how to read in regard to chugalug = email. Can someone tell me if this is a _me_ problem or a _chugalug_ = problem? ``` 1.0 Fastmail Pty Ltd reports@fastmaildmarc.com https://fastmail.com/ 1247951981 1721174400 1721260799 carryingstones.com none none 100 0 50.116.36.169 3 none fail fail mailing_list Policy ignored due to local mailing list policy chugalug.org carryingstones.com chugalug.org mfrom pass ``` -- **Eric Beavers** Any spelling or grammatical errors found in the above post are = deliberate and included to boost the self‑esteem of those who spot = them.=============================================================== From: Dave Brockman ------------------------------------------------------ I don't see any DKIM in list headers. SPF passes. Do you forward mail sent to carryingstones.com anywhere else? With Gratitude, Dave Brockman Senior Network Engineer Gig City Cloud, LLC
=============================================================== From: Eric Beavers ------------------------------------------------------ Thanks for the quick feedback! No forwarding on that account. Checked via local third-party client (MailMate on my MacBook Pro). Using instructions at https://easydmarc.com/tools/dkim-record-generator, I generated a key pair (saved locally in `~/.ssh`) and added a DKIM TXT record to my DNS. Hopefully, this will patch up my issue. -- **Eric Beavers** Any spelling or grammatical errors found in the above post are deliberate and included to boost the self‑esteem of those who spot them.
=============================================================== From: Dave Brockman ------------------------------------------------------ Slow morning waiting on the coffee to kick in :) That's well and good, but if your email server isn't using that key to sign the outgoing emails, it's not going to help :) I can't think of anyway publishing a DKIM key and not signing will hurt, but definitely won't change anything in regards to your original query. https://www.proofpoint.com/us/threat-reference/dkim Above link gives a decent job describing DKIM/SPF/DMARC, how they work, etc. With Gratitude, Dave Brockman Senior Network Engineer Gig City Cloud, LLC
=============================================================== From: Eric Beavers ------------------------------------------------------ Lucky for me! I figured as much. That seemed _way_ too easy. I'll keep reading and figure this out. Thanks for the pointers! -- *Eric Beavers*
=============================================================== From: Dave Brockman ------------------------------------------------------ The report in your original query indicates you sent 3 emails to the list. Or, more correctly, the list sent 3 emails from your email domain (that fastmast mail saw). Those messages aligned via chugalug.org's SPF, but failed SPF and DKIM validation for carryingstones.com. You can't actually fix that. Well, you could add chugalug's server to your SPF records, but I wouldn't advise you to do that. Now you know how SPF/DKIM/DMARC broke mailing lists. Most of them rewrite the "from" to become the list-server address to work around this. Cheers, --dtb
=============================================================== From: Eric Beavers ------------------------------------------------------ I added the DNS DKIM entry to my Linode server (where the DNS is managed) and added the DKIM keys to `~/.ssh` on the server. I hope that gets it done on my end. For the record, Fastmail indicates DKIM is set up correctly (although it said so before as well, so I think it was really looking at DMARC).
=============================================================== From: Dave Brockman ------------------------------------------------------ Unless chugalug is stripping the headers, your email is not DKIM signed. If you check the headers in my emails, you should see something like: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=brockmans.com; h= content-transfer-encoding:content-type:in-reply-to:from :content-language:references:to:subject:user-agent:mime-version :date:message-id; s=dkim; t=1721746622; x=1722610623; bh=RDM68av uOjfOgq8JdalqHHXq/nU631PxoHaTwyyLwtI=; b=BIEwz8JFE7PzQBuz7wOHHEG CVg6L3fose83wU9O7qnW04rqGBniTezFRkjMoTceKEaA97hO0aR44jgfpK5EwmFw iw3JU7pn0uCP9abSlIaX1S7OU27Xkk11raYOAjrqFuBiiog7tysCOrv+fIwtSMn4 6kelLkqGYlT4gc1kfHkIlaG1A6OizBfOUTpFQ3NCmh7fhBq7mB/wnWc3D6H61HwF toXgxnWXHbFdkFYOzAnG7l1WaV3/XZPnnnjNrgw+VXmGzlY1CZ2A1fsj7xsDSy0C YFjSdJXpSXQRcpFF+8wXW+bRIGnZ0+Gt8ETgyTblG5aoCv7/m+uPjoV0t052JCw= = I can't tell if the list strips because the list doesn't send my own emails back. Send me an email directly so I can check your headers. With Gratitude, Dave Brockman Senior Network Engineer Gig City Cloud, LLC
=============================================================== From: Houston Bova ------------------------------------------------------ All of the emails in this thread are showing me the “ This email has failed its domain's authentication requirements. It may be spoofed or improperly forwarded.” On Tue, Jul 23, 2024 at 1:20 PM, Dave Brockman
=============================================================== From: Dave Brockman ------------------------------------------------------ Welcome to mailing lists in 2024. SPF/DKIM/DMARC killed them. With Gratitude, Dave Brockman Senior Network Engineer Gig City Cloud, LLC l has=20 d. ns.com; h=3D av hat h it
=============================================================== From: Mike Harrison ------------------------------------------------------ Am trying hard. People that use Cloudmark are currently blocking this system, I've gone through their de-listing procedure at Please visit http://csi.cloudmark.com/reset-request/?ip=50.116.36.169 multiple times and all it really gets me is marketing materials from them about how I need to pay them $$$ for things. This is the only one kicking mail back right now. So sorry: ryan@ryanfreelan..... and ghasty@hastypudd.... Whats fun is, because you are intelligent, you have protections setup..
=============================================================== From: Mike Harrison ------------------------------------------------------ Yeah, something in DKIM (opendkim) needs to be configured or MELEE needs to rewrite the headers better when the origin is from off this server. Working on it on the test list. --Mike--
=============================================================== From: Eric Beavers ------------------------------------------------------ For the record, I received this message. ;) -- Eric
=============================================================== From: Med Dement ------------------------------------------------------ I received this message also.... Med Dement med@hophoto.com 423-894-6448 wrote: email has=20 needs to rewrite the headers better when the origin is from off this = server.
=============================================================== From: Eric Beavers ------------------------------------------------------ I'm getting reports that I'm not sure how to read in regard to chugalug = email. Can someone tell me if this is a _me_ problem or a _chugalug_ = problem? ``` 1.0 Fastmail Pty Ltd reports@fastmaildmarc.com https://fastmail.com/ 1247951981 1721174400 1721260799 carryingstones.com none none 100 0 50.116.36.169 3 none fail fail mailing_list Policy ignored due to local mailing list policy chugalug.org carryingstones.com chugalug.org mfrom pass ``` -- **Eric Beavers** Any spelling or grammatical errors found in the above post are = deliberate and included to boost the self‑esteem of those who spot = them.
=============================================================== From: Dave Brockman ------------------------------------------------------ I don't see any DKIM in list headers. SPF passes. Do you forward mail sent to carryingstones.com anywhere else? With Gratitude, Dave Brockman Senior Network Engineer Gig City Cloud, LLC
=============================================================== From: Eric Beavers ------------------------------------------------------ Thanks for the quick feedback! No forwarding on that account. Checked via local third-party client (MailMate on my MacBook Pro). Using instructions at https://easydmarc.com/tools/dkim-record-generator, I generated a key pair (saved locally in `~/.ssh`) and added a DKIM TXT record to my DNS. Hopefully, this will patch up my issue. -- **Eric Beavers** Any spelling or grammatical errors found in the above post are deliberate and included to boost the self‑esteem of those who spot them.
=============================================================== From: Dave Brockman ------------------------------------------------------ Slow morning waiting on the coffee to kick in :) That's well and good, but if your email server isn't using that key to sign the outgoing emails, it's not going to help :) I can't think of anyway publishing a DKIM key and not signing will hurt, but definitely won't change anything in regards to your original query. https://www.proofpoint.com/us/threat-reference/dkim Above link gives a decent job describing DKIM/SPF/DMARC, how they work, etc. With Gratitude, Dave Brockman Senior Network Engineer Gig City Cloud, LLC
=============================================================== From: Eric Beavers ------------------------------------------------------ Lucky for me! I figured as much. That seemed _way_ too easy. I'll keep reading and figure this out. Thanks for the pointers! -- *Eric Beavers*
=============================================================== From: Dave Brockman ------------------------------------------------------ The report in your original query indicates you sent 3 emails to the list. Or, more correctly, the list sent 3 emails from your email domain (that fastmast mail saw). Those messages aligned via chugalug.org's SPF, but failed SPF and DKIM validation for carryingstones.com. You can't actually fix that. Well, you could add chugalug's server to your SPF records, but I wouldn't advise you to do that. Now you know how SPF/DKIM/DMARC broke mailing lists. Most of them rewrite the "from" to become the list-server address to work around this. Cheers, --dtb
=============================================================== From: Eric Beavers ------------------------------------------------------ I added the DNS DKIM entry to my Linode server (where the DNS is managed) and added the DKIM keys to `~/.ssh` on the server. I hope that gets it done on my end. For the record, Fastmail indicates DKIM is set up correctly (although it said so before as well, so I think it was really looking at DMARC).
=============================================================== From: Dave Brockman ------------------------------------------------------ Unless chugalug is stripping the headers, your email is not DKIM signed. If you check the headers in my emails, you should see something like: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=brockmans.com; h= content-transfer-encoding:content-type:in-reply-to:from :content-language:references:to:subject:user-agent:mime-version :date:message-id; s=dkim; t=1721746622; x=1722610623; bh=RDM68av uOjfOgq8JdalqHHXq/nU631PxoHaTwyyLwtI=; b=BIEwz8JFE7PzQBuz7wOHHEG CVg6L3fose83wU9O7qnW04rqGBniTezFRkjMoTceKEaA97hO0aR44jgfpK5EwmFw iw3JU7pn0uCP9abSlIaX1S7OU27Xkk11raYOAjrqFuBiiog7tysCOrv+fIwtSMn4 6kelLkqGYlT4gc1kfHkIlaG1A6OizBfOUTpFQ3NCmh7fhBq7mB/wnWc3D6H61HwF toXgxnWXHbFdkFYOzAnG7l1WaV3/XZPnnnjNrgw+VXmGzlY1CZ2A1fsj7xsDSy0C YFjSdJXpSXQRcpFF+8wXW+bRIGnZ0+Gt8ETgyTblG5aoCv7/m+uPjoV0t052JCw= = I can't tell if the list strips because the list doesn't send my own emails back. Send me an email directly so I can check your headers. With Gratitude, Dave Brockman Senior Network Engineer Gig City Cloud, LLC
=============================================================== From: Houston Bova ------------------------------------------------------ All of the emails in this thread are showing me the “ This email has failed its domain's authentication requirements. It may be spoofed or improperly forwarded.” On Tue, Jul 23, 2024 at 1:20 PM, Dave Brockman
=============================================================== From: Dave Brockman ------------------------------------------------------ Welcome to mailing lists in 2024. SPF/DKIM/DMARC killed them. With Gratitude, Dave Brockman Senior Network Engineer Gig City Cloud, LLC l has=20 d. ns.com; h=3D av hat h it
=============================================================== From: Mike Harrison ------------------------------------------------------ Am trying hard. People that use Cloudmark are currently blocking this system, I've gone through their de-listing procedure at Please visit http://csi.cloudmark.com/reset-request/?ip=50.116.36.169 multiple times and all it really gets me is marketing materials from them about how I need to pay them $$$ for things. This is the only one kicking mail back right now. So sorry: ryan@ryanfreelan..... and ghasty@hastypudd.... Whats fun is, because you are intelligent, you have protections setup..
=============================================================== From: Mike Harrison ------------------------------------------------------ Yeah, something in DKIM (opendkim) needs to be configured or MELEE needs to rewrite the headers better when the origin is from off this server. Working on it on the test list. --Mike--
=============================================================== From: Eric Beavers ------------------------------------------------------ For the record, I received this message. ;) -- Eric
=============================================================== From: Med Dement ------------------------------------------------------ I received this message also.... Med Dement med@hophoto.com 423-894-6448 wrote: email has=20 needs to rewrite the headers better when the origin is from off this = server.