[postgis-users] DMARC config

Greg Troxel gdt at lexort.com
Thu Aug 24 09:31:53 PDT 2023 

Sandro Santilli <strk at kbt.io> writes:

> For reference: osgeo-discuss seem to be always munging the from
> and adding a Reply-To: original_sender. From where I'm standing (mutt)
> it seems to be handled very well.

We can separate

  adding a footer (aka MITM attack on the body) which breaks DKIM

  changing from (breaks lots of things including DKIM) and adding
  reply-to: with original sender

  setting reply-to list

This list adds, or maybe you put it in:

  Reply-To: PostGIS Users Discussion <postgis-users at lists.osgeo.org>

which causes the reply MUA action to send a private reply to the list.
This is simply not ok, and if it is added by the list it is a standards
violation.

From: munging, while there can be many situations where various MUAs do
what people expect, is problematic because:

  It's a standards violation.   From: is defined as the sender, and
  mail to that must go to the sender.

  It breaks things like "add sender to address book".

  It breaks "welcomelist_from" in Spamassassin, and similar.

  It breaks "gnus-summary-increase-score" when selecting author, because
  the from field no longer contains the author.

  it breaks anything else when people expect the standards-compliant
  behavior that the from: field contains the origitor's address

  It breaks things like the TXREP plugin in spamassassin which keeps
  track of score history by sender.

  Because of widespread Reply-To: abuse, it is reasonable for people to
  ignore it on mailinglists.  So a munged from will be included in a
  reply.   (It seems obvious that expecting people to keep track of
  which lists insert false reply-to headers and configure mail clients
  to selectively reject is unreasonable; it's far more effort than
  expecting people to filter on list-id.)


Both From: munging and body munging are problematic because: DKIM fails,
and that means welcomelist_from_dkim in Spamassassin and similar do not
work.  I have had to add not only welcomelist_from_dkim but also
welcomelist_from_rcvd for specific lists.  It's not ok to ask people to
use welcomelist_from (with no linkage to dkim or sending server) because
lots of spam is forged form people you know from compromised accounts.


All of this pain happens because people think it is important to modify
the subject and the body.  We've had a List-Id for 22.5 years:
  https://datatracker.ietf.org/doc/rfc2919/
which is expressly useful for mail systems to sort list mail how the
user wants it.

As I see it, the only argument in favor of munging is groupthink that
mailinglists are supposed to modify the subject and body, because people
expect it, becaue mailinglists were misconfigured that way last year as
well.

More information about the postgis-users mailing list