> It's my understanding that DMARC accepts mail that either passes DKIM or SPF, but fails mail that fails both.

Yes but if the mailing list tries to use the from header of the sender to the list, then it cannot pass spf or dkim because it's not the server responsible for the domain in question.

ChrisP.


On 22/07/2016 11:41 p.m., surgemailHIDDEN@etwinsite.com wrote:
> surgemail-support <surgemailHIDDEN@t@netwinsite.com> wrote:
>> Ooops, sorry I thought you'd already changed the from, yes you need to
>> set it to be from the list.
>>
>> from_list true
>>
>> No there's no nice work around that I know of, they are specifically
>> stopping forged from headers which is what mailing lists traditionally use.
>>
>>      ChrisP.
>>
>>
>> On 28/04/2016 3:17 p.m., Neil Herber (nospam) wrote:
>>>  From my tests, setting sender_list true has no effect. The mail is
>>> still rejected. I am pretty sure that DMARC only looks at the FROM header.
>>>
>>> An online article suggested that removing the DKIM signature from the
>>> forwarded mail would solve the problem, but it does not. The mail gets
>>> refused as unauthenticated.
>>>
>>> It looks like I am reduced to banning Yahoo senders or stripping the
>>> sender data and making all the mail appear to come from the list
>>> rather than the original senders.
>>>
>>> Neil
>>>
>>>
>>> On 2016-04-27 6:02 PM, surgemail-support wrote:
>>>> I think the short answer is set:
>>>>      sender_list true
>>>> to rewrite the sender header.
>>>>
>>>>      ChrisP.
>>>>
>>>>
>>>> On 28/04/2016 7:53 a.m., Neil Herber (nospam) wrote:
>>>>> I have several small, closed mailing lists running on SurgeMail. A
>>>>> new list member has a YAHOO address, and the mail he sends gets
>>>>> rejected by Gmail, Hotmail, Yahoo, and others with this error message:
>>>>>
>>>>>> Site gmail.com (173.194.74.27) said after data sent: 550 5.7.1 initiative.
>> rc7si2769636igc.23 - gsmtp 550-5.7.1 Unauthenticated email from yahoo.ca
>> is not accepted due to domain's\n550-5.7.1 DMARC policy. Please contact administrator
>> of yahoo.ca domain if this\n550-5.7.1 was a legitimate mail. Please visit\n550-5.7.1https://support.google.com/mail/answer/2451690
>> to learn about DMARC
>>>>> I suspect that the sender's FROM address is triggering this false
>>>>> positive, even though:
>>>>>
>>>>> 1) The return path is set to Return-Path: <servicenameHIDDEN@@eton.ca>
>>>>>
>>>>> 2) The reply-to is set to Reply-To:HIDDEN@ename@eton.ca
>>>>>
>>>>> 3) The sender was verified by SPF "Received-SPF: pass (Last token
>>>>> {ptr:yahoo.com} (res=PASS)) client-ip=98.xxx.xxx.173; " so they were
>>>>> a real Yahoo customer.
>>>>>
>>>>> Is there any way around this? Or do I need to strip out the sender
>>>>> info in DLIST which makes it harder for users to see who originated
>>>>> the message to the list?
>>>>>
>>>>> Note that my current setup has worked for ALL users for years. This
>>>>> is our first "yahoo" list member.
>>>>>
>>>>> Neil
>>>>>
>>>>> -- 
>>>>> Neil Herber
>>> -- 
>>> Neil Herber
>>
>>
>> <html>
>>   <head>
>>     <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
>>   </head>
>>   <body bgcolor="#FFFFFF" text="#000000">
>>     Ooops, sorry I thought you'd already changed the from, yes you need
>>     to set it to be from the list.<br>
>>     <br>
>>     from_list true<br>
>>     <br>
>>     No there's no nice work around that I know of, they are specifically
>>     stopping forged from headers which is what mailing lists
>>     traditionally use.  <br>
>>     <br>
>>     Â Â Â  ChrisP.<br>
>>     <br>
>>     <br>
>>     <div class="moz-cite-prefix">On 28/04/2016 3:17 p.m., Neil Herber
>>       (nospam) wrote:<br>
>>     </div>
>>     <blockquote cite="mid:ca2cb92b-c233-9463-bc6fHIDDEN@2ce465@eton.ca"
>>       type="cite">
>>       <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
>>       <p>From my tests, setting sender_list true has no effect. The mail
>>         is still rejected. I am pretty sure that DMARC only looks at the
>>         FROM header.</p>
>>       <p>An online article suggested that removing the DKIM signature
>>         from the forwarded mail would solve the problem, but it does
>>         not. The mail gets refused as unauthenticated.</p>
>>       <p>It looks like I am reduced to banning Yahoo senders or
>>         stripping the sender data and making all the mail appear to come
>>         from the list rather than the original senders.<br>
>>       </p>
>>       <p>Neil<br>
>>       </p>
>>       <br>
>>       <div class="moz-cite-prefix">On 2016-04-27 6:02 PM,
>>         surgemail-support wrote:<br>
>>       </div>
>>       <blockquote cite="mid:57213704HIDDEN@0@netwinsite.com" type="cite">
>>         <meta content="text/html; charset=utf-8"
>>           http-equiv="Content-Type">
>>         I think the short answer is set:<br>
>>         Â Â Â  sender_list true<br>
>>         to rewrite the sender header.<br>
>>         <br>
>>         Â Â Â  ChrisP.<br>
>>         <br>
>>         <br>
>>         <div class="moz-cite-prefix">On 28/04/2016 7:53 a.m., Neil
>>           Herber (nospam) wrote:<br>
>>         </div>
>>         <blockquote
>>           cite="mid:01514a87-9f4e-252d-e9c9HIDDEN@02ffe4@eton.ca"
>>           type="cite">
>>           <meta http-equiv="content-type" content="text/html;
>>             charset=utf-8">
>>           <p>I have several small, closed mailing lists running on
>>             SurgeMail. A new list member has a YAHOO address, and the
>>             mail he sends gets rejected by Gmail, Hotmail, Yahoo, and
>>             others with this error message:</p>
>>           <p> </p>
>>           <blockquote type="cite">
>>             <pre wrap="">Site gmail.com (173.194.74.27) said after data sent:
>> 550 5.7.1 initiative. rc7si2769636igc.23 - gsmtp 550-5.7.1 Unauthenticated
>> email from yahoo.ca is not accepted due to domain's\n550-5.7.1 DMARC policy.
>> Please contact administrator of yahoo.ca domain if this\n550-5.7.1 was a
>> legitimate mail. Please visit\n550-5.7.1  <a moz-do-not-send="true" class="moz-txt-link-freetext"
>> href="https://support.google.com/mail/answer/2451690">https://support.google.com/mail/answer/2451690</a>
>> to learn about DMARC</pre>
>>           </blockquote>
>>           <p>I suspect that the sender's FROM address is triggering this
>>             false positive, even though:</p>
>>           <p>1) The return path is set to Return-Path: <a
>>               moz-do-not-send="true" class="moz-txt-link-rfc2396E"
>>               href="mailto:servicenameHIDDEN@@eton.ca"><a class="moz-txt-link-rfc2396E"
>> href="mailto:servicenameHIDDEN@@eton.ca"><servicename-bounce@eton.ca></a></a></p>
>>           <p>2) The reply-to is set to Reply-To: <a
>>               moz-do-not-send="true" class="moz-txt-link-abbreviated"
>>               href="mailtoHIDDEN@ename@eton.ca"><a class="moz-txt-link-abbreviated"
>> href="mailtoHIDDEN@ename@eton.ca">servicename@eton.ca</a></a><br>
>>           </p>
>>           <p>3) The sender was verified by SPF "Received-SPF: pass (Last
>>             token {ptr:yahoo.com} (res=PASS)) client-ip=98.xxx.xxx.173;
>>             " so they were a real Yahoo customer.</p>
>>           <p>Is there any way around this? Or do I need to strip out the
>>             sender info in DLIST which makes it harder for users to see
>>             who originated the message to the list?</p>
>>           <p>Note that my current setup has worked for ALL users for
>>             years. This is our first "yahoo" list member.</p>
>>           <p>Neil<br>
>>           </p>
>>           <pre class="moz-signature" cols="72">--
>> Neil Herber</pre>
>>         </blockquote>
>>         <br>
>>       </blockquote>
>>       <br>
>>       <pre class="moz-signature" cols="72">--
>> Neil Herber</pre>
>>     </blockquote>
>>     <br>
>>   </body>
>> </html>
>>
>>
> It's my understanding that DMARC accepts mail that either passes DKIM or SPF, but fails mail that fails both.
>
> https://support.google.com/a/answer/2466580?hl=en
>
> Quote: A single check failure using either technology allows the message to pass DMARC.