Warren Toomey via COFF wrote in <aKanpE22V+eay62r(a)minnie.tuhs.org>: |Hi all, I've had a question/issue raised with DKIM on the TUHS/COFF mailing |lists from a subscriber. I'm running Mailman3 and I'm a DKIM newbie. They |say: | | Why have all mails from the tuhs mailing list, except those | from a real tuhs.org domain (basically only yours), an invalid | DKIM? Background, my mail provider will switch its DMARC policy from | "none" to "quarantine" and then to "reject" - which will result first | in tuhs-mails being marked as "spam" and later being rejected. Other | mailing lists I receive, switch the sender domain to the list domain | itself. This results in a correct DKIM. Wouldn't this be possible | for the tuhs-list too? | |He gives, as examples: | | Maillist mails from senders "via TUHS <tuhs(a)tuhs.org>" pass DMARC | (e.g. Cameron Míċeál Tyre via TUHS <tuhs(a)tuhs.org>) | Maillist mails from senders without the "via TUHS" part fail DMARC | (e.g. Blake McBride <blake....(a)gmail.com>) | |I'd be very happy to have someone/some people review my mailman3, postfix |and rspamd configuration and suggest changes. Didn't you provide dedicated DMARC/non-DMARC lists in the past? Ah. I have no idea on rspamd, and do not get me started on the IETF email scene, they are really, really no good people. But. Mailman3 config is at [1] - Remove (or rename) old DKIM headers [1]: not so important, but good. Because. remove_dkim_headers: yes Since TUHS/COFF luckily still tags the Subject: line, which i personally like very much, any old signature is broken. So they need to be removed since DKIM gives verifiers practically free hands what is to be tested. Now DKIM says it is sufficient if *one* signature can be verified. But leaving in false ones may cause unnecessary traffic, and maybe even these rubbish Authentication-Results stuff. (They represent a snapshot in time and space, which may be wrong in the second after they are generated.) - Perform the mitigations [2]. Ensure to *always* mitigate and change the From: line to those "via" style things. dmarc_mitigate_unconditionally dmarc_mitigate_action: munge_from [1] https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/config/doc… [2] https://docs.mailman3.org/projects/mailman/en/latest/src/mailman/handlers/d… In general it can only be "mitigate, mitigate, mitigate" (think Ballmers "Developers! Developers! Developers! -- just like that!), and unconditionally so, because why have all the DNS lookups and all the noise for nothing, just give anyone the same appearance. And. Even if those IETF email well people push through the wrong standard, the next DKIM will allow user interfaces to unroll changes to the IMF (internet message format aka RFC 5322 aka email message), and therefore *user interfaces* can undo the From: mitigation, and show the original From:, and therefore all the people who hate that "x via y" syntax will later have the possibility to do something about that for themselves (shall their MUA allow so), whereas on the actual SMTP etc level things (only partially, alas!!) get more straight again. Having said all that i have no Mailman3, i still run Mailman2, but the above is at least what [1] and [2] says, and the direction is the right one. ;) |Many thanks in advance, | Warren | |P.S. Anybody know of an Internet server still running continuously from |before May 1991 (esp. being maintaned by the same owner)? viz: |https://minnie.tuhs.org/minannounce.txt --End of <aKanpE22V+eay62r(a)minnie.tuhs.org> --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)