[SAC] [postgis-devel] DMARC/DKIM mitigation on maling lists

Greg Troxel gdt at lexort.com
Mon Oct 30 18:36:31 PDT 2023 

Sandro Santilli <strk at kbt.io> writes:

>> Ok, this is now live for postgis-tickets. I had to:
>> 
>>   1. Set "Replace the From" to "no"
>>      https://lists.osgeo.org/mailman/admin/postgis-tickets/general
>> 
>>   2. Disable "Reply-to" munging
>>      https://lists.osgeo.org/mailman/admin/postgis-tickets/general
>> 
>>   3. Remove footer from the non-digest options
>>      https://lists.osgeo.org/mailman/admin/postgis-tickets/nondigest
>> 
>> You can see the subsequente differences from the archive:
>> https://lists.osgeo.org/pipermail/postgis-tickets/2023-October/date.html
>
> Laurențiu (in Cc) tested sending a DKIM-signed email to the
> postgis-tickets configured as mentioned above and the mail was found
> to still break the DKIM signature.
>
> Here's what I get as Authentication-Results header when the mail arrives
> to my mailbox:
>
> 	Authentication-Results:
> 		dkim=fail ("headers rsa verify failed") header.d=dend.ro header.s=fm2 header.b="HQmGmY/I";
> 		dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm3 header.b=o8qZA0x2;
> 		dmarc=fail reason="SPF not aligned (relaxed)" header.from=dend.ro (policy=quarantine);
> 		spf=pass
>
> Magnus: if we wanted to compare with PostgreSQL lits, would any of
> those lists be good test targets ? 
>
> Does anyone know if this the DKIM failures above could still have to do with
> mailman configuration ?

I think the way to debug this is to store both the original message as
it went to the mailman server and the one as delivered and then diff
them.  I have had some success guessing at what was munged and finding a
version that passed, but diff is really vastly easier.

I find it odd for outgoing mail from people to have Sender: as for
normal human-sent mail, it should just be From:.  And, I would not
really expect Sender: to be covered by DKIM.  I just sent a normal email
to another person, and my outgoing DKIM header is

  h=From:To:Cc:Subject:References:Date:In-Reply-To;

(I am still in the process of subscribing here, so please keep me in cc
for now.)

More information about the Sac mailing list