DKIM signatures from google groups

Sandro Santilli strk at kbt.io
Fri Feb 2 07:40:21 PST 2024 

On Fri, Feb 02, 2024 at 10:23:34AM -0500, Greg Troxel wrote:
> Sandro Santilli <strk at kbt.io> writes:
> 
> > On Thu, Feb 01, 2024 at 09:10:55PM +0100, Javier Jimenez Shaw wrote:
> >
> >> I attach (only to you) the last email I got from that google group.
> >
> > There is a single DKIM-Signature from the mailing list (googlegroups.com),
> > none from the email author (the one in the From).
> >
> > 	DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> > 					d=googlegroups.com;
> > 					h=list-unsubscribe:list-archive:list-help:list-post:list-id
> > 					  :mailing-list:precedence:reply-to:x-original-authentication-results
> > 					  :x-original-sender:message-id:mime-version:to:from:importance
> > 					  :subject:date:savedfromemail:sender:from:to:cc:subject:date
> > 					  :message-id:reply-to;
> >
> > The "Return-Path" header is set to googlegroups.com so SPF also passes.
> 
> I am not following.  Are you saying that the author's MTA created a DKIM
> signature, and that that googlegroups *removed* it?  If so, that's
> broken, but I have not had the impression they do this.

I didn't get access to the original author's email so don't really
know if the signature was removed or not. All I know is that the
mail I received had a single DKIM-Signature by googlegroups.com.

> I don't understand where this is coming from.  What is the problem on
> the table, given a base assumption of

This is coming from my unanticipated (almost, see [1]) change in mailman
configuration for the osgeo-discuss mailing list having triggered contrary
reactions [2]:

  [1] https://lists.osgeo.org/pipermail/discuss/2024-January/040048.html
  [2] https://lists.osgeo.org/pipermail/discuss/2024-January/040058.html

And from my observation that changing From also makes it harder for MUAs
to verify GPG signatures:

  [3] https://lists.osgeo.org/pipermail/discuss/2024-January/040091.html

Javier observed that google groups do not have broken DKIM signatures
and sent me full header of one mail, which I tried to interpret turning
the mail into a SAC thread to see if anyone would want to change
recommended setup [4] based on the reactions and new findings.

  [4] https://trac.osgeo.org/osgeo/ticket/3011#comment:23

--strk;

  Libre GIS consultant/developer
  https://strk.kbt.io/services.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20240202/c283100b/attachment.sig>

More information about the Sac mailing list