official FreeBSD mailing lists vs DMARC, DKIM, SPF

[dch]

Has anybody already been through the process of setting up this infamous trio on their own domain, and still having email pass through the FreeBSD mailing lists successfully?

 

[zirias@]

Sure. Never had a problem. I use SPF with "soft fail" (~all) and DMARC only in report mode (p=none), not sure whether that's relevant...

 

[dch]

Aah yeah I have gone a bit stronger here. As soon as I try to use reject its clear that FreeBSD mailing lists are not permitted on my sending list. It would be nice to fix that somehow.

 

[zirias@]

Ah! So what's failing is the final delivery, which of course makes sense with e.g. a hard fail configured for SPF. Of course, one could whitelist FreeBSD's servers, but that's fragile (IP adresses of FreeBSD are not under your control) and doesn't solve the problem in general.

I personally think the option of "hard fails" in these things doesn't make too much sense. There are too many possibilities how this could break, with "mailing lists" just being a prominent one ... some MUA with a "resend mail" function would be enough for example. IMHO, the sanest usage for SPF, DKIM and DMARC is as one source to compute a "score" for the mail (like rspamd and spamassassin can do it, and I'm pretty sure the large email providers also apply similar things). But as soon as you configure a hard fail, the receiver must reject the mail, regardless of all the other factors that would likely identify it as legitimate ...