This may be a particularly niche issue I happened across but thought it worth mentioning.
manjaro.org has a DMARC policy of reject, and mails are not DKIM signed. Relying solely on SPF alignment, which will fail if forwarded.
Whether this is a me problem or manjaro.org problem is probably debatable and I know implementing DKIM is annoying but maybe the DMARC policy could be lowered to quarantine.
Record is now lowered. Let me know if that helps.
Awesome, can confirm I’m receiving email from the forum software through a forwarder successfully. Thanks!
They’re also now DKIM signed too <3
So the issue wasn’t really Manjaro domain settings?
It was your setup where you forward mail from one provider to another thus invalidating the chain.
I really don’t think it is a Manjaro domain administrator task to ensure you can forward mail through different services.
I have my domain’s DMARC policy setup to reject everything that fails validation.
I have domain which goes back more than 25 years and some of my email addresses has been part of several dataleaks and has been used as sender email by a lot of spam - so I have zero tolerance for abuse.
So the issue wasn’t really Manjaro domain settings?
It was your setup where you forward mail from one provider to another thus invalidating the chain.
This is debatable as mentioned in the initial post, in order to pass DMARC either SPF or DKIM needs to validate. In my opinion using a forwarding mail server is not a strange or poor configuration, I also have owned domains for a similar amount of time but these days do not have the time to run my own mail server, using a forwarding service from my domains to a webmail service.
I really don’t think it is a Manjaro domain administrator task to ensure you can forward mail through different services.
I agree to a point, however as mentioned I do not think a setup of using a forwarding mail server is particularly obtuse. If the system is sending mail unsigned mail in my opinion it is an admin error to rely on SPF alignment alone with a reject policy.
It appears the mail now being sent is in fact DKIM signed since my initial post? So a reject policy is now probably reasonable.
I understand that but my point is
The correct handling would be to setup the forwarder to encapsulate forwarded mail in a new envelope or send it as a forwarded mail using the intermediate address as sender - instead of using manjaro.org as sender domain which some poorly setup forwarders do.
The excessive amount of spam which is often using innocent mail-from addresses to legitimise the mail - is one of the reasons why domain owners setup DMARC and DKIM and SPF.
But DMARC is accepting mail if either exist - it doesn’t require both - which is why my domain has reject 100%.
The correct handling would be to setup the forwarder to encapsulate forwarded mail in a new envelope.
Correct handling would also be for the sender to DKIM sign sent mail too no?
There is no requirement to secure one’s domain against abuse - it is good measure - but not a requirement.
DKIM, DMARC, SPF - they are all voluntary.
DKIM, DMARC, SPF - they are all voluntary.
Precisely, so enforcing a DMARC reject policy while only implementing SPF is not ideal.
DMARC will have no effect if you don’t implement either DKIM or SPF.
DKIM can be spoofed and abused using a fairly simple technique.
As this is the feedback section I’ll also add this has been a favourite distro of mine for a while now but this interaction with a maintainer has felt unnecessarily defensive and aggressive. I regret getting involved at all.