DKIM signatures with message footers or subject prefixes
Dear Experts
What is the best way to go about reconciling GNU Mailman3-made message modifications (like message footers or subject prefixes) with sender-made DKIM signatures? I am aware of the "DMARC mitigations" tab in the list settings, not bad, but it looks that "replace From: with list address" doesn't help (of course), whereas wrapping the message in an outer message often looks ugly. Is there a better way?...
BTW I would like to point out that broken DKIM signature can be a problem even with an easy DMARC policy; for example ProtonMail will display this flashy red warning: https://protonmail.com/support/knowledge-base/email-has-failed-its-domains-a... in its webmail. (I guess nothing can be done about it except "DMARC Mitigate unconditionally").
This is GNU Mailman 3.1.
Thanks!
On 3/11/22 09:37, Stanisław Findeisen via Mailman-users wrote:
Dear Experts
What is the best way to go about reconciling GNU Mailman3-made message modifications (like message footers or subject prefixes) with sender-made DKIM signatures? I am aware of the "DMARC mitigations" tab in the list settings, not bad, but it looks that "replace From: with list address" doesn't help (of course), whereas wrapping the message in an outer message often looks ugly. Is there a better way?...
BTW I would like to point out that broken DKIM signature can be a problem even with an easy DMARC policy; for example ProtonMail will display this flashy red warning: https://protonmail.com/support/knowledge-base/email-has-failed-its-domains-a... in its webmail. (I guess nothing can be done about it except "DMARC Mitigate unconditionally").
ProtonMail is broken - see https://www.rfc-editor.org/rfc/rfc6376.html#section-6.1
That said, BCP recommends removing the signatures that the MLM will break https://www.rfc-editor.org/rfc/rfc6377.html#section-5.7
Mailman implements this with the mailman.cfg setting
[mta]
remove_dkim_headers: yes
Also, your outgoing MTA should DKIM sign the mail on the way out. With that and the above setting, the outgoing message will have only your valid DKIM signature and no prior Authentication-Results:.
ARC <https://www.rfc-editor.org/rfc/rfc8617.html> is intended to address this while preserving prior authentication results and is supported by Mailman, but is not accepted by all receivers.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Fri, Mar 11, 2022 at 10:41:00AM -0800, Mark Sapiro wrote:
Also, your outgoing MTA should DKIM sign the mail on the way out. With that and the above setting, the outgoing message will have only your valid DKIM signature and no prior Authentication-Results:.
Ok, you mean after replacing the From address with the list address, right? I can see no way (or sense) to DKIM sign arbitrary From: addresses.
This actually works quite good: the recipient just gets 2 DKIM signatures. The original one is broken, the MTA-generated one (after writing my list address into From) is OK. This is good enough even for ProtonMail (no red warning).
What about this list (mailman-users). It looks this one also has From address replacement + conditional DMARC mitigation. And remove_dkim_headers: no. Correct?
Thank you
On 3/12/22 12:20, Stanisław Findeisen via Mailman-users wrote:
On Fri, Mar 11, 2022 at 10:41:00AM -0800, Mark Sapiro wrote:
Also, your outgoing MTA should DKIM sign the mail on the way out. With that and the above setting, the outgoing message will have only your valid DKIM signature and no prior Authentication-Results:.
Ok, you mean after replacing the From address with the list address, right? I can see no way (or sense) to DKIM sign arbitrary From: addresses.
Your DKIM signature only says you sent the mail and if the signature validates, the mail hasn't been modified since you signed it. I.e. validation of the signature is a statement to the recipient that the mail received is what you sent. That's all.
If the domain of the From: address doesn't align with your domain, the signature won't help with DMARC, but that's a separate issue and why we have DMARC mitigations suck as replacing the From: with the list address.
This actually works quite good: the recipient just gets 2 DKIM signatures. The original one is broken, the MTA-generated one (after writing my list address into From) is OK. This is good enough even for ProtonMail (no red warning).
And your rewriting the From: is only necessary for DMARC. If the ProtonMail red flag is only because there was no valid DKIM signature, you shouldn't need to rewrite From:. If it is because of DMARC, you do.
What about this list (mailman-users). It looks this one also has From address replacement + conditional DMARC mitigation. And remove_dkim_headers: no. Correct?
This list has DMARC mitigation action = Replace From: and DMARC Mitigate unconditionally = No and remove_dkim_headers: no.
We DKIM sign all outgoing mail from lists.mailman3.org.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Thank you for your clarification. I am now wildcard (*) DKIM-signing the (arbitrary) From: address domain with the host domain key. However my mailing list is a virtual host (actually there are several of them), which is different than the host domain. Do you know if such a setup is harmful? Or if there is a way to select the VHOST key? This is Postfix + OpenDKIM.
With DMARC mitigation action = Replace From: and DMARC Mitigate unconditionally = Yes the VHOST key gets selected, which also results in (existing and) valid DMARC. Perhaps this setup makes it easier to pass through the spam filters?... But the cost is the abused From:.
Thank you Stanisław
On Sat, Mar 12, 2022 at 12:49:38PM -0800, Mark Sapiro wrote:
On 3/12/22 12:20, Stanisław Findeisen via Mailman-users wrote:
On Fri, Mar 11, 2022 at 10:41:00AM -0800, Mark Sapiro wrote:
Also, your outgoing MTA should DKIM sign the mail on the way out. With that and the above setting, the outgoing message will have only your valid DKIM signature and no prior Authentication-Results:.
Ok, you mean after replacing the From address with the list address, right? I can see no way (or sense) to DKIM sign arbitrary From: addresses.
Your DKIM signature only says you sent the mail and if the signature validates, the mail hasn't been modified since you signed it. I.e. validation of the signature is a statement to the recipient that the mail received is what you sent. That's all.
If the domain of the From: address doesn't align with your domain, the signature won't help with DMARC, but that's a separate issue and why we have DMARC mitigations suck as replacing the From: with the list address.
This actually works quite good: the recipient just gets 2 DKIM signatures. The original one is broken, the MTA-generated one (after writing my list address into From) is OK. This is good enough even for ProtonMail (no red warning).
And your rewriting the From: is only necessary for DMARC. If the ProtonMail red flag is only because there was no valid DKIM signature, you shouldn't need to rewrite From:. If it is because of DMARC, you do.
What about this list (mailman-users). It looks this one also has From address replacement + conditional DMARC mitigation. And remove_dkim_headers: no. Correct?
This list has DMARC mitigation action = Replace From: and DMARC Mitigate unconditionally = No and remove_dkim_headers: no.
We DKIM sign all outgoing mail from lists.mailman3.org.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Mailman-users mailing list -- mailman-users@mailman3.org To unsubscribe send an email to mailman-users-leave@mailman3.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/
On 3/14/22 04:07, Stanisław Findeisen via Mailman-users wrote:
Thank you for your clarification. I am now wildcard (*) DKIM-signing the (arbitrary) From: address domain with the host domain key. However my mailing list is a virtual host (actually there are several of them), which is different than the host domain. Do you know if such a setup is harmful? Or if there is a way to select the VHOST key? This is Postfix + OpenDKIM.
In your opendkim.conf set
SenderHeaders List-Post,Sender,From
See the MAILING LISTS section in http://www.opendkim.org/opendkim-README
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Teilnehmer (2)
-
Mark Sapiro -
Stanisław Findeisen