Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A properly configured mailing list should work just fine with both SPF and DKIM. Especially SPF should not be an issue at all.


A mailing list will _always_ break SPF. When forwarding messages to mailing list subscribers, the mailing list server will not match the host in the "From" header field.


One of SPF's shortcomings is that is doesn't act upon the `From` header at all, which is the name/address the recipient most often is shown. Instead, it acts upon the `Return-Path` header, which a well configured mailing list will set to a domain it controls.


Alright, I took a shortcut: SPF will verify, but for the wrong domain. It'll break when used together with DMARC's alignment checks.


> SPF will verify, but for the wrong domain

I can see that argument, but - it's kinda a philosophical question about "who the sender is". Is the the person who typed out the text? or is it the server which transcribed that text into N new emails?

The ML server will verify the original authors SPF. The N recipients will verify the ML servers SPF - the chain (which matches the series of MTA's involved) is still verified end to end.

> It'll break when used together with DMARC's alignment checks.

Yea, DMARC is a much bigger issue for mailing lists, but that's no reason to say "A mailing list will _always_ break SPF" - a well configured* ML has no issues with SPF at all.

* And, yes - the definition of "well configured" had to change when SPF was introduced, that's of course annoying, but there has been many many years for ML operators to make these changes.


> The ML server will verify the original authors SPF. The N recipients will verify the ML servers SPF - the chain (which matches the series of MTA's involved) is still verified end to end.

The recipients have no way to check that the mailing list server has checked SPF/DKIM/DMARC. Mailing lists very rarely drop messages because of a failing SPF/DKIM/DMARC check.

ARC tries to fix this, but requires recipients to trust the mailing list server. Just using plain DKIM is much better, recipients can just treat ML-forwarded emails just like direct emails.


Yes, it is DMARC which can break mailing lists. Neither SPF nor DKIM breaks them assuming the mailing list does not modify the mail.


Failing SPF doesn’t matter if a DMARC policy is in place. You just need to pass SPF or DKIM at that point. It’s why it’s important to setup both.

Both fill in gaps in the use case of the other.


It depends. I've seen some servers with a DMARC policy which fails when SPF fails.

DKIM completely supersedes SPF, hence my recommendation to just skip SPF.


It does, but it’s more involved to setup so depending on how many different sources your domain is using you may not be able to use DKIM everywhere.

Additionally, DKIM keys need to be rotated periodically just like SSL. Many services like Sendgrid or ProtonMail will handle this for you now by setting up multiple CNAME records so they can rotate the keys for you, but it only works with that sender.

SPF helps to address the gaps. I totally agree that strict DMARC policy plus DKIM should be enough though.


You're far from your original claim that "SPF always breaks mailing-list". You are now at "there is a way to configure DMARC that breaks mailing-lists".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: