On 11/21/20 10:39 AM, Stephen J. Turnbull wrote:
Rob Jenson writes:
I need to strip DKIM headers on the inbound messages to my list or to my domain.
Why do you need to strip DKIM headers? The standard specifies that an invalid DKIM signature must be treated the same as if there were no signature at all. So an invalid DKIM signature may be treated as spammier than a message with a valid signature, but that should not be treated differently from an unsigned message (as would appear after removing those header fields).
I know this feature is in demand from list admins, but I've never seen convincing evidence that it's actually effective for any of the usual suspects (Yahoo!, AOL, Gmail), only for small domains with pigheaded admins who are proud of their non-conforming configurations, and announce that they are discarding messages which have invalid DKIM signatures.
This person is a client of ours for now. There is no evidence at all that I can see from our outgoing SMTP logs for such a requirement. In fact mail delivery to Yahoo and its other domains (verizon, aol) has been great. There are some small deferrals that occur over a small period of time (which is strange) daily but those clear out of the queue within an hour. I was personally shocked when he brought these concerns to this list without asking or informing us.
We are munging the text of the message in Mailman, so the DKIM headers from the original poster are invalid.
As I explained above, both DKIM and DMARC are specified so that "no signature" == "invalid signature" for the purposes of spam processing. Are you sure that Yahoo! (or any other provider used by your subscribers) is treating invalid signatures differently from absence of signatures? The person responsible for Yahoo! MTA configuration is a well-known mail security expert who participated actively in the specification of all these protocols (and she also gave me a kitten, so I may be biased).
I have the same question Steve. I see no proof for such a practice nor came across any documentation regarding such. The number one reason why Yahoo defers mail is mail volume from what I see. I don't even think they are hard on SPF violations as other ISPs such as Google.
As far as I can see, our service provider is using ARC in our Mailman configuration, but not signing the outbound messages with DKIM.
That surprises me. ARC isn't really a substitute for the MTA's own DKIM signature, at least not yet.
It ought to surprise you because we are not using ARC. His comment surprised me as well. Again I have no idea where he gets that from. He certainly did not bring that to my attention nor presented proof.
Therefore the DKIM signature from the poster's mail service provider is sent out with their DKIM header, which seems to be problematic.
It shouldn't be.
I agree. It shouldn't be and it's not. Otherwise this would impact all lists that are DMARC munging their Mailman 3 lists unconditionally. It's not.
If I understand ARC correctly, it is validating the DKIM signature from the poster, creating a new signature and metadata indicating that what it received was properly signed.
That is correct. As far as I know, Yahoo! does participate in the ARC protocol and used to have conforming implementations of DKIM and DMARC. That doesn't mean you get a free ride: they may still have your IP on a blacklist from former owners of the IP, for example. Or your posts may "look like" spam for some other reason, or your lists may need more time to build up a clean reputation. But I need evidence more convincing than "list posts are recognized as spam" to believe that removing DKIM headers will help. (For example, my employer's filters regularly recognize messages from department heads as spam, even with DKIM signatures intact. ;-)
This particular client did bring up some Yahoo issues a week ago which I looked into it. The conclusion was Yahoo is deferring a small percentage of outbound mail for a small period of time due to mail volume. Overall we have great successful deliveries to Yahoo addresses on our Affinity server. So I am simply surprised at his communication sent to this list. Yahoo delivery always improves when mail volume becomes more consistent. That week we have moved over a moderate amount of lists that had a few dozen Yahoo members. That caused our SenderScore.org rep score to drop from 98 to 96 (which is still a very high reputation). It's back up to 98 (pats myself on the back) because the new outgoing mail volume has become more consistent. Eventually we will fill up the server and will bring up a new server to add new lists to. This approach has worked well for all of our servers for years. So conclusion: broken DKIM signatures are not playing a part with his issues at all. At least from the evidence I have seen.
-- Brian Carpenter Harmonylists.com Emwd.com