[linuxjobs] [ADMINISTRIVIA] From: address munging now enabled due to rejections for broken DKIM

Andy Smith andy at bitfolk.com
Sat Mar 18 01:14:20 UTC 2023 

Hi,

TL;DR:

A number of subscribers to this have mail systems that appear to be
rejecting emails that have broken DKIM signatures, so to avoid this
I've had to switch on the Mailman setting that sets the From:
address to always be the list. I appreciate that this can be a
little confusing, but people are getting automatically unsubscribed
for having seemingly non-working addresses.

More info:

Recently quite a few subscribers have had their subscriptions
automatically paused because they have been rejecting posts from the
list. While in some cases there has been no clue as to why, some of
the rejections do make it clear that it's because of failed DKIM
signatures.

When Mailman adds its footer text and subject line prefix and then
passes on the email with the poster's email address as the From:
address, it breaks any DKIM signature that the poster's mail system
may have added.

Although it is against RFC recommendations to reject email purely
for having broken DKIM signatures (RFC 6376 §6.3), it is clear that
some recipients are doing so.

It is tempting to let users of these misbehaving email systems cope
with the consequences, but perhaps counter-productive for the sake
of posters who want their posts to be received by as many people as
possible, and also the list admins do not want the burden of having
to explain why someone's subscription has been disabled.

This Mailman already is set to munge the From: address in this way
when a poster's domain indicates in its DMARC policy that it wishes
for DMARC failures to be rejected¹. However in this case the poster
domains don't appear to have any DMARC policy at all, so the
recipients must only be going by the failure of DKIM.

The option of removing the list footer and any subject line
modification was considered, as this should then allow most posts to
retain working DKIM signatures², but I consider the list footer and
subject line prefix to be too valuable for less advanced email
users.

The only other option would be to include the original email as an
attachment inside a new email sent from the list's address. While
that works well in capable email software, it is again quite
confusing in the more general case.

So here we are.

Thanks,
Andy

¹ In theory DMARC failures shouldn't happen as if either SPF *or*
  DKIM succeeds then DMARC is supposed to succeed, and
  mailman.lug.org.uk does have SPF records. But anyway…

² Against all sensible advice some sending email systems *do* sign
  headers like List-Id:, so there would still be some occasional
  DKIM failure.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/linuxjobs/attachments/20230318/cb0a2ef7/attachment.sig>

More information about the linuxjobs mailing list