DKIM signatures from google groups

Greg Troxel gdt at lexort.com
Fri Feb 2 07:23:34 PST 2024 

Sandro Santilli <strk at kbt.io> writes:

> On Thu, Feb 01, 2024 at 09:10:55PM +0100, Javier Jimenez Shaw wrote:
>
>> I attach (only to you) the last email I got from that google group.
>
> There is a single DKIM-Signature from the mailing list (googlegroups.com),
> none from the email author (the one in the From).
>
> 	DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> 					d=googlegroups.com;
> 					h=list-unsubscribe:list-archive:list-help:list-post:list-id
> 					  :mailing-list:precedence:reply-to:x-original-authentication-results
> 					  :x-original-sender:message-id:mime-version:to:from:importance
> 					  :subject:date:savedfromemail:sender:from:to:cc:subject:date
> 					  :message-id:reply-to;
>
> The "Return-Path" header is set to googlegroups.com so SPF also passes.

I am not following.  Are you saying that the author's MTA created a DKIM
signature, and that that googlegroups *removed* it?  If so, that's
broken, but I have not had the impression they do this.

> This could be another approach. Leaving the From untouched would
> allow the GPG signatures to be properly handled by MUA and stripping
> the original author's DKIM signature would prevent finding it broken.

It is not ok to drop DKIM signatures.  Today all domains should be:

  generate DKIM signatures (that certainly cover From:)
  publish SPF

and we are heading for

  publish a DMARC policy

Dropping an author's DKIM signature will mean that DMARC fails.  Plus I
think the DKIM RFCs do frown on that, or would if they had contemplated
it.

> Adding a new DKIM signature could make MTAs happier about accepting
> the mail for delivery.

It seems normal for a mailinglist processor to add a DKIM signature
which basically authenticates the message as having been emitted from
the list.

> I've to say I find it hard to make use of these signatures from a procmail 
> as following all the indirections is pretty complex.

True, but trying to use procmail seems strange to me.   There are
milters for checking, and e.g. spamassassin has rules that assign points
for failing standards.


I don't understand where this is coming from.  What is the problem on
the table, given a base assumption of

  mail originated from osgeo.org is DKIM signed

  osgeo mailing lists do not (will not once fixed) modify From, Subject,
  or body

?

More information about the Sac mailing list