Groups | Search | Server Info | Login | Register

Groups > linux.debian.project > #14277

Re: Failing SPF & DKIM for lists.debian.org

From Vahit Tabak <vahit@vahittabak.com>
Newsgroups linux.debian.project
Subject Re: Failing SPF & DKIM for lists.debian.org
Date 2026-04-20 22:30 +0200
Message-ID <MM3pL-gHMM-5@gated-at.bofh.it> (permalink)
References <MK24N-fgiN-7@gated-at.bofh.it> <MK3Nf-fhv7-1@gated-at.bofh.it> <MM3pL-gHMM-7@gated-at.bofh.it> <MM3pL-gHMM-9@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hello Debian Team,

This is also a known issue with Mailman 2; https://wiki.list.org/DEV/DMARC

When an external user (e.g. user1@outlook.com, who is also a list member)
sends
an email to a Debian mailing list, and that list forwards it to another
external
user (e.g. user2@gmail.com, also a member), the list effectively appears to
"spoof" the original sender. As Pirate Parveen mentioned, this happens
because
the DKIM signature is broken by the mailing list headers, and SPF fails
since
the sending IP belongs to Debian rather than Outlook.

However, Gmail seems to apply a kind of "manual fallback" handling for
Debian IP
addresses, which helps mitigate the issue in practice.


Example:

Message ID: <
PUZPR04MB6382D0275837EE4086D5EFF0D32F2@PUZPR04MB6382.apcprd04.prod.outlook.com
>
dkim=fail header.i=@outlook.com header.s=selector1 header.b="cyps/E+N";
arc=fail (signature failed);
spf=pass (google.com: manual fallback record for domain of
bounce-debian-mentors=vahit=vahittabak.com@lists.debian.org designates
82.195.75.100 as permitted sender)
smtp.mailfrom="bounce-debian-mentors=vahit=vahittabak.com@lists.debian.org";
dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com


Best regards,
Vahit Tabak

On Fri, 17 Apr 2026 at 14:45, pedro vezzosi <pipo65@gmail.com> wrote:

> Hello Marcel,
>
> Thank you for bringing this to the attention of the Debian team.
>
> After reviewing the headers and DNS records, I was able to confirm the
> same behavior on my side. The messages distributed through
> lists.debian.org appear to be legitimate and are properly routed through
> the official Debian mailing list infrastructure, as confirmed by the
> List-Id, Received headers, and the message archive.
>
> However, it also appears that there are currently no publicly visible SPF
> and DMARC DNS records for debian.org / lists.debian.org, and some
> messages signed with the DKIM selector smtpauto.stravinsky may fail
> validation on certain receivers.
>
> For security advisories, the authenticity of the message can still be
> verified through:
>
>    - the official Debian mailing list archive
>    - the Debian security tracker / LTS advisory pages
>    - the included PGP signature
>    - the X-Debian-Message: Signature check passed for Debian member header
>
> So while the notification email itself is legitimate, final verification
> should ideally be done against the official Debian web archive and advisory
> pages.
>
> Kind regards,
>
> El jue, 16 abr 2026 a las 10:08, Pirate Praveen (<praveen@onenetbeyond.org>)
> escribió:
>
>>
>>
>> On 4/15/26 1:12 PM, Bastian Blank wrote:
>> > On Wed, Apr 15, 2026 at 08:10:16AM +0200, Marcel Menzel wrote:
>> >> It seems that lists.debian.org has some problems (at least on my
>> side) for
>> >> SPF and DKIM validation, which leads to failing DMARC causing mails
>> being
>> >> inserted into the Junk folder:
>> >
>> > Nothing fails.  debian.org have neither SPF nor DMARC records.
>> >
>> > You can check that yourself with:
>> >
>> > | dig debian.org txt
>> > | dig _dmarc.debian.org txt
>> >
>> > Bastian
>> >
>>
>> We do publish a DKIM record, but our lists apparently broke it when
>> forwarding the original mail. Adding a prefix to the subject or
>> modifying a protected header would break dmarc.
>>
>> $ dig +short smtpauto.stravinsky._domainkey.debian.org txt
>> "v=DKIM1; k=rsa; s=email; h=sha256; p="
>> "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwi8LqBb0lIBri5MJwFq8"
>> "lak6adGPCq/kpLTarDdSdlfOekhpAnwVf9cD37ii9u4bLfVkuIzg3eIm4HmHKoUC"
>> "vqc24CZkggi5+D8TyhS0TnlXAZNQgFGtE9X6ZZTban34a/iqVU1PNjxXPLIEW+e5"
>> "D3NJn1ah+3ILFDw7vXIXjZSierXl5onMY/lgN3DidLYBmw0+BNVKI4mnByczmhh6"
>> "5kF+DLsv8N0Jtb5YOcRle3SuuK6dp1N4dyosd0CHnjuytpZ81F97FBfMKpmHYJEc"
>> "eA+/1Rxykhl7x+khw2V5UKK7o30af7QJgMS+ZO/XJSl6Sw1yerxixvX9kAnjZppt"
>> "RwIDAQAB"
>>
>

Back to linux.debian.project | Previous | NextPrevious in thread | Find similar

Thread

Failing SPF & DKIM for lists.debian.org Marcel Menzel <marcel@menzel.de> - 2026-04-15 08:40 +0200
  Re: Failing SPF & DKIM for lists.debian.org Bastian Blank <waldi@debian.org> - 2026-04-15 10:30 +0200
    Re: Failing SPF & DKIM for lists.debian.org "Andrea Pappacoda" <andrea@pappacoda.it> - 2026-04-15 20:00 +0200
    Re: Failing SPF & DKIM for lists.debian.org Vahit Tabak <vahit@vahittabak.com> - 2026-04-20 22:30 +0200

csiph-web