Current situation
When somebody with any recent and "modern" mail protection (SPF, DKIM, DMARC) tries to write to Mailman of wikimedia.it, usually their email is marked as spam.
This is probably what is happening:
- alice.it has a modern mail configuration only allowing e-mails from alice.it MX
- alice@alice.it sends an email (From: alice@alice.it) to a mailing list example@wikimedia.it
- wikimedia.it impersonates alice sending an email with From: alice@alice.it to all its members
- ↑ SPF fail, wikimedia.it is NOT authorized to impersonate alice.it
Current:
(Origin: wikimedia.it) From: alice@alice.it CC: direttivo@wikimedia.it
Expected:
(Origin: wikimedia.it) From: "Alice" <noreply@wikimedia.it> Reply-To: alice@alice.it CC: direttivo@wikimedia.it
Probably Mailman will do this:
(Origin: wikimedia.it) From: direttivo@wikimedia.it Reply-To: direttivo@wikimedia.it, alice@alice.it
Related mailman documentation
https://www.gnu.org/software/mailman/mailman-admin/general-personality.html
from_is_list
This applies to all non-digest messages sent by the list. For settings that apply only to messages whose From: domain publishes a DMARC p=reject or p=quarantine policy, see the dmarc_moderation_action description in section 2.7. If set to Munge From, it replaces the From: header address with the list's posting address to mitigate issues stemming from the original From: domain's DMARC or similar policies and puts the original From: address in a Reply-To: header. If set to Wrap Message it wraps the original message as a MIME subpart of an outer message with From: and Reply-To: headers as above.
https://www.gnu.org/software/mailman/mailman-admin/sender-filters.html#sender-filters
Problematic mailing lists
- tech@wikimedia.it
- direttivo@wikimedia.it
- ...
Wrong mitigations
The domain alice.it should not be configured to have a less secure configuration, just because its receivers try to impersonate alice.it.
The solution should try to just avoid to impersonate alice.it. So, the solution is in the wikimedia.it mailserver configuration, not in alice.it.
Proposed solution
The mailing list wikimedia.it should only send e-mails from its own domain.
Set the from_is_list configuration from value No to value Munge From
https://mailman.wikimedia.it/admin/tech/?VARHELP=general/from_is_list