Quoting Hoover Chan (hoover.chan@gmail.com):
Rick, thanks for explaining what was happening and apologies to all who were affected by the way I had things set up for my ewind.com domain.
No problem. I've been tracking down and fixing BALUG delivery problems, and was delighted to find and fix yours.
You should be in receipt of "invitation" e-mails (to quick-subscribe hoover.chan@gmail.com) I caused Mailman to send for the balug-admin, balug-talk, and balug-announce mailing lists -- the same three you've until now had your ewind.com address subscribed to, and tried to forward to GMail.
Yeah, it's really tempting to cover service inadequacies using SMTP forwarding, but then you're highly likely to get bitten by SFP/DMARC (primarily DMARC, as I will explain). I got bit myself!
Also, any pointers to documentation on current best practices for building network services (e-mail, Web, DNS)? Especially on cloud hosted platforms? (e.g. Nephosting (or equivalent), AWS, etc). Most of the "How Tos" that I've learned from in the past are now outdated.
I don't. Maybe some day, I'll write one, but man, too many projects.
Speaking of which, I also had to rebuild my collection of GNU Mailman mailing lists on cloud hosted services since my hardware disasters also swept those away. I'm guessing that the SPF/DMARC issues may be affecting these too.
All Mailman releases starting (IIRC) 2.1.16 have included an excellent _but non-default_ set of DMARC-mitigation controls that can be set on a per-list basis from the admin WebUI.
Go to page Privacy Options, Sender Filters. In the middle of the page, you'll find these options:
Action to take when anyone posts to the list from a domain with a DMARC Reject/Quarantine Policy (dmarc_moderation_action) (o) Accept ( ) Munge from ( ) Wrap message ( ) Reject ( ) Discard
Shall the above dmarc_moderation_action apply to messages From: domains with DMARC p=quarantine as well as p=reject? (dmarc_quarantine_moderation_action) (o) No ( ) Yes
Shall the above dmarc_moderation_action apply to messages From: domains with DMARC p=none as well as p=quarantine and p=reject? (Details for dmarc_none_moderation_action) (o) No ( ) Yes
Shown above are Mailman defaults, with _no_ DMARC mitigation. To enable mitigation, change the first two: Change dmarc_moderation_action to "Munge from" and change dmarc_quarantine_moderation_action to "Yes". That's it.
The proximate effect of this mitigation is as follows: _If_ a subscriber's posting is from a domain that publishes a DMARC policy with policy p=reject or p=quarantine, _then and only then_ "munge" the "From:" header on all mailed-out subscriber copies to substitute the mailing list's address for the subscribers. In that case, append the poster's real address to a "Reply-To:" header (or create such a header if not already present).
The _end_-effect of this munging (targeted only to DMARC-afflicted subscibers' posting, and leaving other people's postings alone) is to do an end-run around DMARC damage. Why? Because the poster's domain's overly aggressive DMARC policies have been rendered irrelevant by substitution of a different domain (balug.org) as sender.
You asked about SPF mitigation. Not needed! SPF, unlike DMARC, is not mailing-list-hostile.
I do have Some Opinions on this subject. That is why my domain's DNS has:
:r! dig -t txt linuxmafia.com. +short "v=spf1 ip4:96.95.217.99 -all"
:r! dig -t txt _dmarc.linuxmafia.com. +short "DMARC: tragically misdesigned since 2012. Check our SPF RR, instead."
You will note that my SPF record is bracingly simple and unequivocal. It says please reject as forged any mail claiming to be from linuxmafia.com unless it arrives from IPv4 address 96.95.217.99 with no exceptions, uncertainty, or elaborations. I am able to publish with confidence such a declaration _only_ because I never wish to permit any mail to convincingly claim to be from my domain unless it originates directly from my IP.
SPF syntax is flexible and permits some elaborate and contingent declarations. I luckily don't need that flexibility. So, SPF is a very good fit for my domain's use-case for sending out mail.
If you search around, you will find people who've been angry about, and dislike, SPF for almost a quarter-century. Quite logically, these tend to be people who have enjoyed the ability to originate mail purporting to be from their (and/or other people's) domains for a long time, and who dislike any obstacle to doing so freely. Or, to look at it differently, they enjoy domain-forgery. ;->
Partly due to pricing and what reviews I was able to find at the time, I ended up going to "Mailmanlists.net". Is the BALUG universe also on a 3rd party hosted service which everyone is happy with? I'd be curious to learn more.
balug.org is self-hosted by Michael Paoli on one of his hosts at home. Likewise, linuxmafia.com is self-hosted by me on one of my hosts at home.