Why adding a prefix breaks DKIM signature (was: Change in mailing list configuration)

[Sandro Santilli]

[ Adding discuss list back as I think this is of general interest )

On Fri, Jan 12, 2024 at 02:34:52PM +0000, Luís Moreira de Sousa wrote:
> Dear Sandro,
> 
> I am not qualified to opine on the DKIM configuration, but I would question the removal of the prefix. All other pipermail list I am subscribed to add a prefix to the subject. Could you explain why it had to be removed? Will this decision affect the other OSGeo lists?


DKIM is a standard by which the mail server applies a cryptographic signature
to some elements of an email, to ensure it is not tampered with. 

Your mail (the one I'm reply to) contained the following signature:

  DKIM-Signature:
    [..]
    d=protonmail.ch;
    h=Date:To:From:Subject:Message-ID:In-Reply-To:References:

That means that your mail server (protonmail.ch) applied a digital
ignature on the following email headers:

  - Date
  - To
  - From
  - Subject
  - Message-Id
  - In-Reply-To
  - References

The mail servers involved in getting the mail to me checked your
server signature and added an header with the outcome of the
verification:

  Authentication-Results:
    hst.kbt.io; dkim=pass (2048-bit key; secure)

  Authentication-Results:
    spool.mail.gandi.net;
    dkim=pass

So both "spoo.mail.gandi.net" and "hst.kbt.io" where happy with your
signature. If Mailman injected a prefix in the "Subject" header
(which is among the ones signed by protonmail.ch) the servers of
recipients would detect the mail was modified and thus will consider
it suspicious.

--strk;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/discuss/attachments/20240112/a088f46f/attachment.sig>