The Debian bug tracking system bugs.debian.org works via e-mail: Send an e-mail to report a bug, reply to e-mails sent by it to comment on it.
The problem: Whenever I report a bug to it, my DMARC report analyzer will show that my e-mails have been rejected by several mail servers.
Public mail server configuration
I configured SPF, DKIM and DMARC to prevent other computers sending mails from my domains - only my own server may do that:
-
SPF tells who may send e-mails from cweiske.de:
$ dig +short TXT cweiske.de "v=spf1 mx a -all"
The IP address behind the DNS MX entry may send, all others may not.
-
DKIM is used to sign outgoing mails from my server, so that receivers can be sure the mails came from my server. DNS contains the public key:
$ dig +short TXT 2023._domainkey.cweiske.de "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAO[..]" "ilq9weko00b9FD[...]"
E-Mails sent by my server contain a DKIM-Signature header that say which domain key signature is used: s=2023.
-
DMARC says what should happen when the SPF rules are not adhered to:
$ dig +short TXT _dmarc.cweiske.de "v=DMARC1; p=reject; rua=mailto:user@example.org; ruf=mailto:user@example.org; fo=0; adkim=r; aspf=r; sp=none"
I configured it with p=reject: When an IP address not listed in the SPF record sends a mail from @cweiske.de, the mail shall be rejected.
I also wish e-mail reports about mail delivery from other servers, which get automatically parsed by Open Report Parser.
Debian bug tracker
E-Mails sent by me to the debian bug tracker get forwarded to other people: Package maintainers and people subscribed to the bugs I comment to. Those e-mails are sent by the Debian server, but with my e-mail address in the From header. Receiving mail servers check my domain's SPF, DKIM and DMARC settings, see that the Debian server may not send mails in my name, and reject the mail (or put it into the spam folder).
This problem is known since 2014 with bug report #754809: The Debian BTS needs a plan to deal with messages from DMARC p=reject domains.
In 2019 one bug tracking system maintainer wrote:
My current longer term plan is to switch to resending messages and rewriting From.
Nothing happened until now, 2026.
Phishing-relevant domains only?
Some people in the bug think that we don't need DMARC and that
a restrictive DMARC policy should be used if a domain is subject
to spoofing (e.g. because it is a phishing target)
and the answer to "isn't any domain subject to that" is
experience shows that it is an actual problem only for a tiny number
of domains.
.
I concur: My domain cweiske.de is a small one, and still I have spikes with spam e-mails appearing to be sent from my domain. They are made visible thanks to the DMARC reports.
On a single day, T-Online.de mail servers sent 46 e-mails with a sender address *@cweiske.de. web.de, Google and Microsoft mail servers rejected them and sent reports to me about that.