DKIM on messages - Externals

4 years ago by scott@exussum.co.uk — view source

unread

Hi all,

Minor issue really but a fair chunk of the emails I get from the
internals list end up in spam due to what looks like the DKIM signatures
being incorrect.

If a message is DKIM signed, the signed part usually contains subject
and body, this is then hashed and appended to the headers, after its
been sent to the mailing list (where the signature is correct) the
mailing list then prepends [PHP-DEV] to the subject and sometimes (not
sure when but its not every request) puts an unsubscribe link in the
body. As the message content has now changed, the signature also fails
to verify.

It looks like ezmlm is used, there is an option for headerremove which
DKIM-Signature could be added to
(https://manpages.debian.org/experimental/ezmlm-idx/ezmlm-send.1.en.html)
this would prevent the signature being attached and therefore pass.

I imagine this is a fairly small issue, but it seems an easy fix also
for someone with access to the mailing list.

Would it be possible for this to be applied ? as mentioned earlier this
isnt major but I can't imagine I am the only one who has failures
because of this.

Thanks

Scott

4 years ago by tim@bastelstu.be — view source

unread

Scott,

[using DKIM and (lax) DMARC myself, usually just lurking]

Am 08.07.19 um 21:29 schrieb scott@exussum.co.uk:

It looks like ezmlm is used, there is an option for headerremove which
DKIM-Signature could be added to
(https://manpages.debian.org/experimental/ezmlm-idx/ezmlm-send.1.en.html) this
would prevent the signature being attached and therefore pass.

This will still break anything using DMARC, because neither DKIM nor
SPF is valid. Anything not using DMARC is better off, though.

Ideally the email modifications are disabled entirely. The emails can be
reliably detected using the List-Id header and filtered based on it.

Best regards
Tim Düsterhus

4 years ago by Scott Dutton — view source

unread

This will still break anything using DMARC, because neither DKIM nor
SPF is valid. Anything not using DMARC is better off, though.

Ideally the email modifications are disabled entirely. The emails can
be
reliably detected using the List-Id header and filtered based on it.

Best regards
Tim Düsterhus

Hi Tim

The suggested method is not modifying the emails as you suggested,
unsubscribe links should be handled by adding a List-Unsubscribe header
(which almost all major providers use to show inline unsubscribe links)
though that needs a one click link which the current link is not (so
again a little more work)

Im not sure how big of a change that will be (as it will be many people
updating filters I assume) but yeah that's a much better way. I assume
people must get dmarc reports now as the SPF and DKIM checks will both
fail currently ?

Thanks

Scott