I received the monthly reminder that I'm subscribed to the announcements mailing list (which I appreciate to be reminded about) and the mail forwarding service attached a warning about the mail coming from an unauthorised domain:
Also, a quick check in an online tool I found confirms that there is an issue: https://mxtoolbox.com/SuperTool.aspx?action=mx%3Alists.openwrt.org&run=toolpage
I emailed mailman-owner@lists.openwrt.org with this issue but I'm not 100% sure if that mailbox is watched.
cc @dwmw2 who maintains it (AFAIK).
Hi, thanks for the report. Can you be specific about what's wrong? There are no authentication requirements advertised for lists.openwrt.org, are they?
From what I can see , the subdomain 'lists.openwrt.org' does not have an SPF record but 'forum.openwrt.org' does.
A DMARC record exists on the parent 'openwrt.org' and is specified to include subdomains.
So mail from lists.openwrt.org will fail SPF checks but AFAICS both subdomains have DKIM enabled and so its likely the mail forwarding system being a bit 'picky'
If there is no SPF record, how can it fail SPF checks?
Ok, fail is a maybe a bad description, in reality it will not PASS SPF checks.
Despite SPF & DKIM being non-mandatory standards, these days , many of the larger email services are insisting on both SPF & DKIM being configured for bulk mailers.
Whilst DMARC & DKIM can be configured on the parent domain in 'relaxed' mode and thus apply to any subdomain, an SPF record must be configured for the subdomain.
Admittedly, I'm not up to date with all the email domain verification technologies, but my take about the message that I reported is:
It's just a warning, I still got the email. Other mailboxes or relays might block it.
Correct
There are three different ways to authenticate email domains: DMARC, DKIM and SPF. Each is quite separate from the others.
Not quite, SPF & DKIM are the different ways to authenticate. DMARC defines what the receiving server should do if authentication checks fail.
The DMARC setup for lists.openwrt.org is missing some verification DNS record.
Sort of. The DMARC record is correctly defined for openwrt.org and is configured to cover all subdomains. However SPF is not configured for lists.openwrt.org.
openwrt.org has a DMARC policy of 'None' which should mean 'take no action' on mail failing authentication checks. However some receiving systems will treat email failing authentication as suspect and/or increase its spam scoring level
update: I see lists.openwrt.org now has an SPF record
