Temporary block of @canonical.com sending to @lists.ubuntu.com

Robie Basak racb at ubuntu.com
Sun Jan 11 17:56:17 UTC 2026 

I agree that this is preferable over my original proposal.

There is a nuance though.

Using "Munge from" is a mitigation for the general problem, since in the
general case the email sender can't expect to be able to make the
mailing list operator compliant with their own DMARC policy.

In the bounce emails I've seen as a named administrator/moderator of
some of these mailing lists, it's only @canonical.com's DMARC policy
that is falling foul of this in practice at the moment, AFAICT.

So the specific issue we have right now is that emails sent by
lists.ubuntu.com aren't compliant with @canonical.com's DMARC policy.
Yet both this DMARC policy and lists.ubuntu.com are under the control of
Canonical IS. So uniquely for @canonical.com it should be possible to
fix this such that no "Munge from" is required for senders from
@canonical.com by adjusting the DMARC policy, SPF etc such that
lists.ubuntu.com is compliant. Then the amount of "munging" being
applied would be reduced, even with "Munge from" set.

So I think there are two actions for Canonical IS please, presumably
against the existing ticket C192498:

1) Enable "Munge from" across all mailing lists.

2) Adjust @canonical.com DMARC policy and lists.ubuntu.com outbound
arrangements as appropriate such that what is being done falls within
the policy.

Until step 1 is done, any mailing list administrator on lists.ubuntu.com
is advised to set "Munge from" (Privacy options->Sender
filters->dmarc_moderation_action) to apply the workaround themselves.

Thanks Thomas for pointing out the "Munge from" is even an option in
Mailman. I hadn't realised that Mailman already supported that from
within the options available to list administrators.

Robie

On Sun, Jan 11, 2026 at 12:36:25PM +0100, Mark Shuttleworth wrote:
> OK, from my perspective then the 'Munge from' option on lists.ubuntu.com
> would be a good way forward. Robie?
> 
> Mark
> 
> On Sun, 11 Jan 2026 at 11:25, Thomas Ward <teward at ubuntu.com> wrote:
> 
> > Mark,
> > On 2026-01-11 04:44, Mark Shuttleworth wrote:
> >
> >
> > Well this is an interesting conundrum.
> >
> > Surely every company mail system that does DMARC has this issue with
> > mailing lists? Is the mail system @canonical.com doing something unusual?
> > It sounds from Robie's description that Canonical is 'just doing DMARC
> > conservatively'.
> >
> > Thanks for any clarification,
> > Mark
> >
> > As I understand the core basis of what's happening, when lists.ubuntu.com
> > sends as @canonical.com the message at $RECIPIENT fails DMARC because SPF
> > fails.
> >
> > Unfortunately, this is "normal" with DMARC.  And when DMARC adoption
> > became widespread, the traditional concept of "mailing lists" and
> > "distribution lists" had to adapt. And that required changing of
> > traditional mailing list behaviors.  This is not new, with articles on this
> > going back years. (such as [1]).
> >
> > Most mailing lists that *are* being DMARC compliant follow the 'Munge
> > from". So it's not @canonical.com mailing systems at fault, but @
> > lists.ubuntu.com mail servers not being in the Canonical.com SPF record.
> > Which is probably intentional.
> >
> > The evolution of email and email security with DMARC has required mailing
> > lists to change and adapt like this though. We (Ubuntu and its mailing
> > lists) have just never adopted it. And for Robie and me as well, any
> > DMARC-failing email (Canonical *or otherwise* over the lists) goes straight
> > to junk.
> >
> > Another prime example of this is Debian's lists - where this happens
> > rampantly and results in their (daily) notification of email bounces coming
> > to me - because Debian's not allowed to be the sender of emails with From
> > addresses which have DMARC enforced.
> >
> > This is a problem *every* major group running a mailing list has faced.
> > And is why the "Munge from" option exists in Mailman to help work around
> > the problem.
> >
> > At my dayjob we run upwards of 50+ specifically-dedicated lists for
> > various groups and such whom all are with companies as our partners. A
> > large portion of those companies have DMARC enforced on their mail to keep
> > up with security and email policies. Every single one of them ended up with
> > messages in Junk or Spam (or simply *rejected entirely*) because of DMARC
> > not passing on them.
> >
> > This is why 'traditional mailing lists' are becoming less and less common,
> > or are still being used but with munging on the From address in order to
> > pass DMARC.
> >
> >
> > Thomas
> >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20260111/5ed8534d/attachment.sig>

More information about the technical-board mailing list