<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<span style="white-space: pre-wrap">
</span>
<blockquote type="cite"
cite="mid:itdz434le3gn2ia53kdr4mfygyquibcrye6p772gxksnwi3tba@73mog7ekjbcp">
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">We currently have thread, where one of receiving servers keeps adding
"[Possible phishing attempt]" into subject. It happens on my posts.
Is it possible that kwlug.org sender isn't in my domain's SPF, and this
triggers such labeling?
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Sort-of, but I think the real problem is your DKIM policy.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">My domain is setup to the t, like protonmail asks one to set things up.
In fact, they generate DNS records for you to copy and paste (convenient
admin ux).
</pre>
</blockquote>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Here's what my mail provider (Fastmail) added to the headers for the
message I'm replying to:
X-Spam-known-sender: no ("Email failed DMARC policy for domain")
X-Spam-sender-reputation: 500 (none)
X-Spam-score: 0.0
X-Spam-hits: BAYES_00 -1.9, DMARC_NONE 0.898, HEADER_FROM_DIFFERENT_DOMAINS 0.25,
MAILING_LIST_MULTI -1, ME_HAS_VSSU 0.001, ME_SENDERREP_NEUTRAL 0.001,
SPF_HELO_NONE 0.001, SPF_PASS -0.001, T_SCC_BODY_TEXT_LINE -0.01,
LANGUAGES en, BAYES_USED user, SA_VERSION 4.0.0
X-Spam-source: IP='199.212.143.9', Host='cpanel10.indieserve.net',
Country='CA',
FromHeader='com', MailFrom='org'
X-Spam-charsets: plain='utf-8'
So it looks like content analysis helped the message (-1.9), but the key
things that jumped out were:
1. DMARC_NONE 0.898
Your DMARC policy is very minimal, and instructs for no action to be
taken:
v=DMARC1; p=none
Compare with mine (rua & ruf omitted):
v=DMARC1; p=reject; sp=reject; pct=100; fo=1; adkim=r; aspf=r
Fastmail's spam checker reported this to be fairly suspicious on
it's own.
2. HEADER_FROM_DIFFERENT_DOMAINS
Your mail, via the list, is still coming from you. A lot of domains
that have DKIM/SPF/DMARC set up in a strict manor get rewritten
senders. This message you're reading will probably have the
following sender, instead of my proper address:
From: Chris Irwin via kwlug-disc <a class="moz-txt-link-rfc2396E" href="mailto:kwlug-disc@kwlug.org"><kwlug-disc@kwlug.org></a>
3. SPF DNS Records
I also checked your SPF record, it look fine.
I believe (and Paul can correct me if I'm wrong), the mail list will
determine if rewriting the sender due to mail security is required
"automatically". It might be tripped up on the "p=none" DKIM policy, and
therefore doesn't rewrite your address... Resulting in 'forged' mail
that doesn't pass SPF or DKIM checks, so looks suspicious, but with a
DMARC policy that says to take no action...
I'd suggest setting your DKIM policy to quarantine at least, letting it
propagate (and for KWLug's list host to clear it's caches), and trying
again.
Note that Proton's docs state:
DMARC combines SPF and DKIM authentication results to prevent
spoofing of your domain. We recommend using “p=quarantine” policy
for most domains.
<a class="moz-txt-link-freetext" href="https://proton.me/support/custom-domain">https://proton.me/support/custom-domain</a>
</pre>
</blockquote>
<p>Right. Thank you.</p>
<p>Text says one thing, while all pictures say another, leading to
not all t's being crossed, I guess.<br>
</p>
<p><br>
</p>
</body>
</html>