DKIM signatures from google groups

Javier Jimenez Shaw j1 at jimenezshaw.com
Fri Feb 2 08:23:59 PST 2024 

Hi

Javier here

Sandro explained the origin of this email.
After the complains by many people about changing the title, I realized
that the the google group I am member of does change the title of the
emails, adding [prefix], and still has a valid DKIM signature.

I send Sandro one example (as .eml file) so he can understand the headers
used there.

If anybody wants, I can send them personally that email. Or even create a
google group just to analyse it.
Maybe they use a configuration that makes sense.

Recently most of the email I get from osgeo mailing list are displayed as
unsecure, or are directly in the spam folder.

Cheers

On Fri, 2 Feb 2024 at 16:40, Sandro Santilli <strk at kbt.io> wrote:

> On Fri, Feb 02, 2024 at 10:23:34AM -0500, Greg Troxel wrote:
> > Sandro Santilli <strk at kbt.io> writes:
> >
> > > On Thu, Feb 01, 2024 at 09:10:55PM +0100, Javier Jimenez Shaw wrote:
> > >
> > >> I attach (only to you) the last email I got from that google group.
> > >
> > > There is a single DKIM-Signature from the mailing list (
> googlegroups.com),
> > > none from the email author (the one in the From).
> > >
> > >     DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> > >                                     d=googlegroups.com;
> > >
>  h=list-unsubscribe:list-archive:list-help:list-post:list-id
> > >
>  :mailing-list:precedence:reply-to:x-original-authentication-results
> > >
>  :x-original-sender:message-id:mime-version:to:from:importance
> > >
>  :subject:date:savedfromemail:sender:from:to:cc:subject:date
> > >                                       :message-id:reply-to;
> > >
> > > The "Return-Path" header is set to googlegroups.com so SPF also
> passes.
> >
> > I am not following.  Are you saying that the author's MTA created a DKIM
> > signature, and that that googlegroups *removed* it?  If so, that's
> > broken, but I have not had the impression they do this.
>
> I didn't get access to the original author's email so don't really
> know if the signature was removed or not. All I know is that the
> mail I received had a single DKIM-Signature by googlegroups.com.
>
> > I don't understand where this is coming from.  What is the problem on
> > the table, given a base assumption of
>
> This is coming from my unanticipated (almost, see [1]) change in mailman
> configuration for the osgeo-discuss mailing list having triggered contrary
> reactions [2]:
>
>   [1] https://lists.osgeo.org/pipermail/discuss/2024-January/040048.html
>   [2] https://lists.osgeo.org/pipermail/discuss/2024-January/040058.html
>
> And from my observation that changing From also makes it harder for MUAs
> to verify GPG signatures:
>
>   [3] https://lists.osgeo.org/pipermail/discuss/2024-January/040091.html
>
> Javier observed that google groups do not have broken DKIM signatures
> and sent me full header of one mail, which I tried to interpret turning
> the mail into a SAC thread to see if anyone would want to change
> recommended setup [4] based on the reactions and new findings.
>
>   [4] https://trac.osgeo.org/osgeo/ticket/3011#comment:23
>
> --strk;
>
>   Libre GIS consultant/developer
>   https://strk.kbt.io/services.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/sac/attachments/20240202/4e20238f/attachment.htm>

More information about the Sac mailing list