[postgis-devel] DMARC/DKIM mitigation on maling lists

Greg Troxel gdt at lexort.com
Wed Oct 25 12:28:47 PDT 2023 

"Regina Obe" <lr at pcorp.us> writes:

> Hmm this message is weird, has my display name when I reply but the
> postgis-devel email address.  I don't like this.  
> This is a new thing right?

I don't think it's new, but it's exactly what I object to.  Here's how
the line that is meant to be From: you has been carried:

  "'Regina Obe via postgis-devel'" <postgis-devel at lists.osgeo.org>

> I'm not sure what keeping/removing the subject prefix has to do with
> DMARC/DKIM compliance or whatever strk is trying to fix.

The relationship is (simplifying slightly but trying hard not to mislead):

  (Most) outgoing domains sign mail via DKIM to prove it came from the domain.

  Some domains publish a DMARC policy that says:
    if you get mail from my domain, then accept it if one of the
    following is true:
      it came direct from my outgoing mailservers (SPF)
      my domain signed it *and the signature is valid* (DKIM)
    otherwise, treat as spam or outright reject

  Modifying the subject is an attack on the message, cryptgraphically,
  So is adding a footer.  These break the DKIM signature.

  Because it's list mail, the SPF check fails.

  Thus, the message is rejected.

So, rather than the straightforward

  don't modify the message; DKIM will pass

people instead decided to:

  rewrite From: to how your name is above, so that the sending domain is
  no longer the original

  because reply won't do the right thing, add Reply-To: back to the
  person

  Hope that reply-to will work, despite people ignoring it, because many
  lists abuse it to say "the list owner decided private replies should
  go to the list", which is another (but separate) wrong thing.


The three options for lists are:

  ban list members from domains that set DMARC policy (not reasonable)

  munge From: and cause reply and other MUA problems.

  don't modify subject or body and all is ok 


(Yes, I know about ARC, but I think it isn't really baked yet.)


FWIW, your domain:
  publishes SPF

  DKIM signs, but with a domain that is not yours so it can't reasonably
  be checked (google is like this).

  does not publish DMARC

More information about the postgis-devel mailing list