Hello Debian Team!
It seems that lists.debian.org has some problems (at least on my side)
for SPF and DKIM validation, which leads to failing DMARC causing mails
being inserted into the Junk folder:
R_DKIM_REJECT(4.00)[debian.org:s=smtpauto.stravinsky];
DMARC_NA(3.00)[debian.org];
R_SPF_NA(3.00)[no SPF record];
Please see the attached mail for reference.
Thank you & kind regards,
Marcel Menzel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- ------------------------------------------------------------------------- Debian LTS Advisory DLA-4533-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Arnaud Rebillout
April 15, 2026 https://wiki.debian.org/LTS
- ------------------------------------------------------------------------- Package : systemd
Version : 247.3-7+deb11u8
CVE ID : CVE-2026-4105 CVE-2026-29111 CVE-2026-40225 CVE-2026-40226 Debian Bug :
The following vulnerabilities have been discovered systemd:
CVE-2026-4105
The systemd-machined service contains an Improper Access Control
vulnerability due to insufficient validation of the class parameter in
the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged
user can exploit this by attempting to register a machine with a
specific class value, which may leave behind a usable,
attacker-controlled machine object. This allows the attacker to invoke
methods on the privileged object, leading to the execution of
arbitrary commands with root privileges on the host system.
CVE-2026-29111
When an unprivileged IPC API call is made with spurious data, a stack
overwrite occurs, with the attacker controlled content.
CVE-2026-40225
udev: local root execution can occur via malicious hardware devices
and unsanitized kernel output.
CVE-2026-40226
nspawn: an escape-to-host action can occur via a crafted optional
config file.
For Debian 11 bullseye, these problems have been fixed in version 247.3-7+deb11u8.
We recommend that you upgrade your systemd packages.
For the detailed security status of systemd please refer to
its security tracker page at: https://security-tracker.debian.org/tracker/systemd
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0Kl7ndbut+9n4bYs5yXoeRRgAhYFAmnfIWwACgkQ5yXoeRRg AhbJBw//ag1G7xRlGoXyDcXM8cjH8/vjGs7282FGNjydjYn8aDcY14HuUBERPcP8 1vu5b2kLJoEBV3wNpqtbr1qSVfPoyuGlEk8YNKAmk5epkKgauLQTGldz5A2K5b5m 8aK2kNrypAIzdnpwS0iyVY857iJ+sbvLonw4pzqVsMQUcBzLtLZfW1PFaV10tP3h hP1o2Gb+lqr1uFh0Vh65Nu/d4IQFA/+5l6gnXsWVdgPAK/hbepTAVgK6HC+pr0iT MUovgHszT0Ogqhjae3LbvtYR6a1MgMTws72c5jsC1N+cn5ro0m/aDqJStWNJEo3u jJ/drHq+JNzfuc2c9zZ3j3yz2DNdi6kn3rMngUKq9xeyO/3DAzK+y43WDmvWQzOF AHo7mpIKU18TIdQe9LAyVJuQ90qrVyDF/goDlOEHGCXdoVflkCxtduuSGHClxK0o LxhS32r3jJQkglZxO9eaE+GV7HrdLjNT1EnY14K1eDCLY/+6V47I27fOtvP/ft+w DSG9szYCme5kauKqzm2CcSa4/uqJziwPjoAa5ltT5WALoqJU5+cTkn8wlJV1vliY 5rHjIhSw07qwGY1hPbHWfGdspSXido4WWH77vVYURQpPXkb3zXfKLQatbsxJlZ0L q9Bdi5Ol4uh3yGtTFUtTJa4KAbRLOTlSWtCyQWAkPqYnjMeRTC8=
=bP+V
-----END PGP SIGNATURE-----


--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, Apr 15, 2026 at 08:10:16AM +0200, Marcel Menzel wrote:

It seems that lists.debian.org has some problems (at least on my side) for SPF and DKIM validation, which leads to failing DMARC causing mails being inserted into the Junk folder:

Nothing fails. debian.org have neither SPF nor DMARC records.

You can check that yourself with:

| dig debian.org txt
| dig _dmarc.debian.org txt

Bastian

--
Worlds are conquered, galaxies destroyed -- but a woman is always a woman.
-- Kirk, "The Conscience of the King", stardate 2818.9

--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hi,

On Wed Apr 15, 2026 at 9:42 AM CEST, Bastian Blank wrote:

On Wed, Apr 15, 2026 at 08:10:16AM +0200, Marcel Menzel wrote:

It seems that lists.debian.org has some problems (at least on my side) f

or

SPF and DKIM validation, which leads to failing DMARC causing mails bein

g

inserted into the Junk folder:

Nothing fails. debian.org have neither SPF nor DMARC records.

Maybe it'd make sense to have an explicit "v=spf1 +all" record? Just in

case some SPF checker violates the standard and defaults to a reject.

Also: maybe we could progressively start getting members to use mail-submit.debian.org, which is more of a proper fix since many
mailservers require proper DMARC.

Bye :)

--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Hello Debian Team,
This is also a known issue with Mailman 2; https://wiki.list.org/DEV/DMARC
When an external user (e.g. user1@outlook.com, who is also a list member)
sends
an email to a Debian mailing list, and that list forwards it to another external
user (e.g. user2@gmail.com, also a member), the list effectively appears to "spoof" the original sender. As Pirate Parveen mentioned, this happens
because
the DKIM signature is broken by the mailing list headers, and SPF fails
since
the sending IP belongs to Debian rather than Outlook.
However, Gmail seems to apply a kind of "manual fallback" handling for
Debian IP
addresses, which helps mitigate the issue in practice.

Example:
Message ID: < PUZPR04MB6382D0275837EE4086D5EFF0D32F2@PUZPR04MB6382.apcprd04.prod.outlook.com

dkim=fail header.i=@outlook.com header.s=selector1 header.b="cyps/E+N"; arc=fail (signature failed);
spf=pass (google.com: manual fallback record for domain of bounce-debian-mentors=vahit=vahittabak.com@lists.debian.org designates 82.195.75.100 as permitted sender) smtp.mailfrom="bounce-debian-mentors=vahit=vahittabak.com@lists.debian.org"; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=outlook.com

Best regards,
Vahit Tabak
On Fri, 17 Apr 2026 at 14:45, pedro vezzosi <pipo65@gmail.com> wrote:

Hello Marcel,

Thank you for bringing this to the attention of the Debian team.

After reviewing the headers and DNS records, I was able to confirm the
same behavior on my side. The messages distributed through
lists.debian.org appear to be legitimate and are properly routed through
the official Debian mailing list infrastructure, as confirmed by the
List-Id, Received headers, and the message archive.

However, it also appears that there are currently no publicly visible SPF
and DMARC DNS records for debian.org / lists.debian.org, and some
messages signed with the DKIM selector smtpauto.stravinsky may fail validation on certain receivers.

For security advisories, the authenticity of the message can still be verified through:

- the official Debian mailing list archive
- the Debian security tracker / LTS advisory pages
- the included PGP signature
- the X-Debian-Message: Signature check passed for Debian member header

So while the notification email itself is legitimate, final verification should ideally be done against the official Debian web archive and advisory pages.

Kind regards,

El jue, 16 abr 2026 a las 10:08, Pirate Praveen (<praveen@onenetbeyond.org>) escribi¢:

On 4/15/26 1:12 PM, Bastian Blank wrote:

On Wed, Apr 15, 2026 at 08:10:16AM +0200, Marcel Menzel wrote:

It seems that lists.debian.org has some problems (at least on my

side) for

SPF and DKIM validation, which leads to failing DMARC causing mails

being

inserted into the Junk folder:

Nothing fails. debian.org have neither SPF nor DMARC records.

You can check that yourself with:

| dig debian.org txt
| dig _dmarc.debian.org txt

Bastian

We do publish a DKIM record, but our lists apparently broke it when
forwarding the original mail. Adding a prefix to the subject or
modifying a protected header would break dmarc.

$ dig +short smtpauto.stravinsky._domainkey.debian.org txt
"v=DKIM1; k=rsa; s=email; h=sha256; p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwi8LqBb0lIBri5MJwFq8"
"lak6adGPCq/kpLTarDdSdlfOekhpAnwVf9cD37ii9u4bLfVkuIzg3eIm4HmHKoUC"
"vqc24CZkggi5+D8TyhS0TnlXAZNQgFGtE9X6ZZTban34a/iqVU1PNjxXPLIEW+e5"
"D3NJn1ah+3ILFDw7vXIXjZSierXl5onMY/lgN3DidLYBmw0+BNVKI4mnByczmhh6"
"5kF+DLsv8N0Jtb5YOcRle3SuuK6dp1N4dyosd0CHnjuytpZ81F97FBfMKpmHYJEc"
"eA+/1Rxykhl7x+khw2V5UKK7o30af7QJgMS+ZO/XJSl6Sw1yerxixvX9kAnjZppt"
"RwIDAQAB"

--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)