View Issue Details

IDProjectCategoryView StatusLast Update
0018087phpList 3 applicationDocumentationpublic13-02-19 12:26
Reporterlwc 
PriorityhighSeveritytextReproducibilityalways
Status newResolutionopen 
Product Version3.2.4 
Target VersionFixed in Version 
Summary0018087: Document DMARC exception
DescriptionWhen you specify a "from" address, you can no longer use addresses that involve servers like Gmail/Google Apps. The reason is that such servers enforce a "reject" DMARC rule, and so reject phplist's attempts to fake the "from" address.

Since phplist is obsolete without it, please document what should be the DMARC rules to make an exception for phplist.
Additional InformationPlease mention specifically what should be the settings regarding the commercial phplist.com.
Tagsdocumentation

Activities

lwc

17-04-16 12:55

updater   ~0057609

Upon further investigation, I'm starting to think phplist.com is simply not DMARC compliant! This poses a huge problem and means it's much more than a documentation issue.

https://engineering.linkedin.com/email/dmarc-moving-monitor-reject-mode & http://stackoverflow.com/a/33307532 both offer 3 methods for third party vendors, in this case phplist.com, to become DMARC compliants.

michiel

17-04-16 14:31

administrator   ~0057611

DMARC checks that the sender is sending from a location that is allowed. It uses SPF and DKIM for that.

phpList (hosted) is SPF and DKIM compatible. However, it will depend on the domain in the From if this passes for DMARC.

I've been working on a DMARC checker plugin, but that's quite complicated. In general the rule is: make sure the From in your campaigns validate. To allow phplist.com to send with your From domain, you need to add "include phplist.com" to your SPF records. Then it should also pass for DMARC.

michiel

17-04-16 14:34

administrator   ~0057612

it also means you cannot use certain domains in the From field of your campaigns, eg yahoo.com domains. That is the reason we stopped accepting yahoo.com email addresses for registration for phpList Hosted.

lwc

18-04-16 14:55

updater   ~0057622

We use our own domain name in the "from".
include:phplist.com in our SPF records didn't help.
Neither did include:company_name.hosted.phplist.com
Neither did a complete copy of phplist.com's own spf record (list of ip4:).

michiel

18-04-16 19:47

administrator   ~0057627

Just include:phplist.com should be enough

http://www.openspf.org/SPF_Record_Syntax#include

Can you send an email to check-auth@verifier.port25.com and paste the results?

lwc

19-04-16 15:03

updater   ~0057645

I sent to your address through phpList hosted, but I have nothing to paste since it's a test message which isn't considered as bounce.

Please read the 2 links in the OP. They'll show it takes more than a simple spf include.

michiel

19-04-16 20:56

administrator   ~0057653

that address bounces anyway. Try to find it in your list of bounces. It will probably be marked as "unprocessed".

I have read those pages. That is about the other side of DMARC: when you want other servers to report to you how your domain is doing on their systems. We have that in place with phpList as well.

The delivery side of DMARC is different. It is about telling the world about your domain. And the easiest option (for now) is to use a domain that is not yet set for DMARC.

michiel

19-04-16 20:58

administrator   ~0057654

which opens the question, did you configure DMARC for your domain? If so, remove it.

lwc

24-04-16 08:11

updater   ~0057667

Found your bounce:
https://www.protectedtext.com/dmarc_phplist (password: phplist)

As for the domain, this is our company's domain. We must have the "from" address as sent from our (DMARC protected) company's domain.

More links that might help:
https://www.agari.com/can-get-third-party-senders-dmarc-compliant/ & https://space.dmarcian.com/how-to-send-dmarc-compliant-email-on-behalf-of-others/

michiel

26-04-16 23:03

administrator   ~0057676

Thanks, I have the file, you can delete it if you want.

I'll try to find some time to work on it. But the summary:

SPF check: pass
DKIM check: pass

would indicate that DMARC should pass, because DMARC requires one of the two to pass (IIRC)