DKIM signatures from google groups

Greg Troxel gdt at lexort.com
Fri Feb 2 09:24:58 PST 2024


Sandro Santilli <strk at kbt.io> writes:

> This is coming from my unanticipated (almost, see [1]) change in mailman
> configuration for the osgeo-discuss mailing list having triggered contrary
> reactions [2]:
>
>   [1] https://lists.osgeo.org/pipermail/discuss/2024-January/040048.html
>   [2] https://lists.osgeo.org/pipermail/discuss/2024-January/040058.html

Looking at reactions, it seems like complaints are

  my spam filtering is putting @kbt.io into spam (with *pure
  speculation* that it is about spf/dkim)  [and, if someone's spam
  filtering does this, and a human looking at the mail can't say that it
  is spam or spammy, then the filtering is wrong and should be fixed]

  people don't want to make the effort to filter on List-Id instead of
  subject prefixes

  a rant that fixing the list to behave properly (my view) is bad
  because the real issue is $BIGCOMPANY being heavyhanded about email --
  which I find bizarre but perhaps is a reaction to "the old way is
  broken relative to established standards including DKIM/SPF".
  Especially since the real issue seems to be bad imlementations of MUAs
  that don't handle List-Id filtering and display help for users,
  leading to wanting subjects broken for all!

  Remarkably large number of "I'm taking my toys and going home",
  presumably about subject munging, as if not doing subject munging is
  somehow the most important thing.

  reply MUA does not go to the list [but they are wrong to complain;
  with the fixed config it is behaving as the standards document it to
  be, and it was wrong before]

and the big point

  nobody complaining seems to have any understanding of the DKIM
  problem, and nobody seems to care about anything other than "I want a
  subject tag".  There's no evidence of balancing of concerns.

It's just not possible to have all of

  valid From: fields
  mail delivery (from users with DMARC policies, or to aggressive receivers)
  modified subject

at the same time.  I don't think the people complaining understand that.
It may be that they do and they only care about their filtering, and
don't care about others getting fake From: and others suffering from
"reply" doing the wrong thing.  I personally see fake From: and
reply-goes-to-list as very serious.

> And from my observation that changing From also makes it harder for MUAs
> to verify GPG signatures:
>
>   [3] https://lists.osgeo.org/pipermail/discuss/2024-January/040091.html

Indeed.  It's just part of "modifying email is bad".

> Javier observed that google groups do not have broken DKIM signatures
> and sent me full header of one mail, which I tried to interpret turning
> the mail into a SAC thread to see if anyone would want to change
> recommended setup [4] based on the reactions and new findings.
>
>   [4] https://trac.osgeo.org/osgeo/ticket/3011#comment:23

I think that's quite a different situation and shouldn't be conflated.

The primary use of DKIM is for a domain that originates mail, so that
those receiving mail with a From: can look up to see if it was sent, and
treat it at least suspiciously if the signature check fails, and to
outright reject if there is a DMARC policy.

A secondary use of DKIM is for a domain that does mailinglists to sign
mail that was emitted by the list, so that receivers can say "if
googlegroups sent it to me, don't filter to spam", sort of delegating
some spam checking.  When a domain does this, and that domain also
modifies headers or body (which they shouldn't), then it can modify
first and then sign.  So "google groups have signatures that are not
broken" is simply "they compute their signature after they break their
message".

There is an important point not mentioned.  If the osgeo lists are going
to compute/insert a DKIM header saying it was handled by the list, that
really needs to be from a different domain than osgeo.org.  It is
reasonable for someone to do

  welcomelist_from_dkim *@osgeo.org

on the theory that any spam emanating from osgeo.org is due to a
compromised account which should be rare and if so addressed
immediately.  But that should be separable from the list mail.  So if
you do add DKIM from the list, then it would be signed for e.g. the
lists.osgeo.org domain.

Also, in fact there is a standard for handling this sort of thing: ARC

  https://datatracker.ietf.org/doc/html/rfc8617

which I don't fully grasp, but it is about a forwarding entity not only
putting on a signature but attesting that they checked in the incoming
signature.  I see this happening in the outlook.com world.



So a candidate addition is:

  osgeo mailing lists should be configured, in addition to the above to
  compute and insert a DKIM header for the domain lists.osgeo.org.  NB:
  It is critical from a security viewpoint that DKIM signatures added to
  the list not use the osgeo.org domain, as list content is not
  necessarily originated by a person with an osgeo.org email addres.

but I see it as a very minor point.


More information about the Sac mailing list