Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:122461
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by qa.php.net (Postfix) with ESMTPS id E17CA1ACEBF
	for <internals@lists.php.net>; Thu, 22 Feb 2024 14:44:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1708613062; bh=qprNb9EZ8CucjE2uNlRiRVNjih5s/DAmfjuqtXXQYe4=;
	h=Date:Subject:To:References:From:In-Reply-To:From;
	b=KXIZyiSHNgHHvmCI/IL1JnKSQDz0G924R/Cfy2duHJYK/5xS0wsuYOzgjpqpKPBFF
	 jpyw3+bE2BEa7DHL1DrdSnDH5nz37SSaRbwyr6tKCTyiUr3VCdbS0tHasGdvSWW4t3
	 sJZOKhToWRYLAOpzbIPoYY4XcXE13RHdqDdp+ZHcucmyHhqmfJUCZT7dPCOuVMGTUw
	 KSwX6fsE9NDg7x8CkjaACGU5qrtCRfCWJMdVR1fw/MXpGPuX+Jdr1pRfxafBCDgoLF
	 ZGFw+iSSlOEGad+VBRTuT3InG/c+xYlxFkiXjxmgNxuMJe7z0reCTO8IAVpltxGNly
	 g5UqBZ+7JHVcg==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id DA18218079A
	for <internals@lists.php.net>; Thu, 22 Feb 2024 14:44:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=4.0.0
X-Spam-Virus: No
X-Envelope-From: <info@phpgangsta.de>
Received: from server1.michaelkliewe.de (server1.michaelkliewe.de [188.34.203.177])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 22 Feb 2024 06:44:21 -0800 (PST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by server1.michaelkliewe.de (Postfix) with ESMTPSA id 77E177DE69
	for <internals@lists.php.net>; Thu, 22 Feb 2024 14:44:14 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=phpgangsta.de;
	s=default; t=1708613054;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=j08iNeX+2KNziGZp/i9/tE35yYnD7BML8orNJPwOpZY=;
	b=I5mdRVbpaxJ9zaN7e4GOGHLSflM3Xfo+XpyEmVJ5C92h2pCDS6rM4HCevCdKAJLEFxu49j
	VSU8E/DW/LB84f8ZrZfHD7aH7ZUPAgYwEVGLfWZ8KfankBwQ8t7d9ylODHFhvOneuxuSmz
	I7ooaWj/eDhe7kn8B6R/7otaEBFxKpDocc8ee769ASODbtMVIADY0sBay+fuHNyPFUhhzS
	B61qay4kuSmplDH7SGZ0iF4HaYP4DDt9bonyDwprqjXxVNZEdODSEBNKIazGnGjdp+kqdX
	/E/y1qEMALnhUnka+c1UgbzA55SxtKsrVjYCjlcmElhPNZmAFaKQAr5WqMnKqA==
Authentication-Results: server1.michaelkliewe.de;
	auth=pass smtp.auth=info@phpgangsta.de smtp.mailfrom=info@phpgangsta.de
Content-Type: multipart/alternative;
 boundary="------------vI5FEwsNEifUCKELIk96W9zN"
Message-ID: <10e775ea-4d0b-4a1b-a895-a6ae95136fec@phpgangsta.de>
Date: Thu, 22 Feb 2024 15:44:13 +0100
Precedence: bulk
list-help: <mailto:internals+help@lists.php.net
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: internals.lists.php.net
MIME-Version: 1.0
Subject: Re: External Message: Re: [PHP-DEV] What's up with emails?
To: internals@lists.php.net
References: <CAPzBOBMKL_70sQkM_DrfFSaJz-ustCEhF5pTZP-wee+ceh46ag@mail.gmail.com>
 <DF2009FC-C510-4E0D-ADF8-CDCA7AB84AA6@php.net>
 <DS0PR12MB6464B746DA5DCA5C1CC1D472DB562@DS0PR12MB6464.namprd12.prod.outlook.com>
In-Reply-To: <DS0PR12MB6464B746DA5DCA5C1CC1D472DB562@DS0PR12MB6464.namprd12.prod.outlook.com>
From: info@phpgangsta.de (Michael Kliewe)

This is a multi-part message in MIME format.
--------------vI5FEwsNEifUCKELIk96W9zN
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Am 22.02.2024 um 15:14 schrieb Jeffrey Dafoe:
>> Gmail is rejecting emails after we moved the servers without telling us why, in
>> enough detail to do anything about it.
> It's not just gmail.

I guess it's because of a wrong setting in the mailinglist server.

The content of the original email is changed (the subject is prepended 
by "[PHP-DEV]"), which breaks the original DKIM signature by the sender.

A new DKIM-signature is added by php.net, but it's not aligned to the 
From:-header domain (which is still the original sender).

So the email doesn't have a valid ALIGNED DKIM signature.

SPF is valid for the envelope from, but is not aligned to the From:-header.

The result is:

There is no aligned SPF nor aligned DKIM, which results in a dmarc=fail.

Providers which honor DMARC will quarantine or reject these 
unauthorized/forged emails.

There are 2 solutions:

1. Don't change the content or the DKIM-signed headers of the email (do 
not prepend something in the subject). Then the original DKIM signature 
stays valid and the From:-header can stay untouched

2. If you change the the email and break the original DKIM signature, 
also change the From:-header to a domain which matches the new DKIM 
signature, in this case set the From:-header to internals@lists.php.net. 
This is called "munging" in mailinglist software.

Michael

--------------vI5FEwsNEifUCKELIk96W9zN
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <div class="moz-cite-prefix">Am 22.02.2024 um 15:14 schrieb Jeffrey
      Dafoe:<br>
    </div>
    <blockquote type="cite"
cite="mid:DS0PR12MB6464B746DA5DCA5C1CC1D472DB562@DS0PR12MB6464.namprd12.prod.outlook.com">
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">Gmail is rejecting emails after we moved the servers without telling us why, in
enough detail to do anything about it.
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">
It's not just gmail.</pre>
    </blockquote>
    <p>I guess it's because of a wrong setting in the mailinglist
      server.</p>
    <p><span style="white-space: pre-wrap">The content of the original email is changed (the subject is prepended by "[PHP-DEV]"), which breaks the original DKIM signature by the sender.</span></p>
    <p><span style="white-space: pre-wrap">A new DKIM-signature is added by php.net, but it's not aligned to the From:-header domain (which is still the original sender).</span></p>
    <p><span style="white-space: pre-wrap">So the email doesn't have a valid ALIGNED DKIM signature.</span></p>
    <p><span style="white-space: pre-wrap">SPF is valid for the envelope from, but is not aligned to the From:-header.</span></p>
    <p><span style="white-space: pre-wrap">The result is:</span></p>
    <p><span style="white-space: pre-wrap">There is no aligned SPF nor aligned DKIM, which results in a dmarc=fail.</span></p>
    <p><span style="white-space: pre-wrap">Providers which honor DMARC will quarantine or reject these unauthorized/forged emails.</span></p>
    <p><span style="white-space: pre-wrap">There are 2 solutions:</span></p>
    <p><span style="white-space: pre-wrap">1. Don't change the content or the DKIM-signed headers of the email (do not prepend something in the subject). Then the original DKIM signature stays valid and the From:-header can stay untouched</span></p>
    <p><span style="white-space: pre-wrap">2. If you change the the email and break the original DKIM signature, also change the From:-header to a domain which matches the new DKIM signature, in this case set the From:-header to <a class="moz-txt-link-abbreviated" href="mailto:internals@lists.php.net">internals@lists.php.net</a>. This is called "munging" in mailinglist software.</span></p>
    <p><span style="white-space: pre-wrap">Michael
</span></p>
  </body>
</html>

--------------vI5FEwsNEifUCKELIk96W9zN--