[prev in list] [next in list] [prev in thread] [next in thread]
List: mailman-users
Subject: Re: [Mailman-Users] DKIM best practise
From: Mark Sapiro <mark () msapiro ! net>
Date: 2015-06-23 5:02:37
Message-ID: 5588E86D.7080708 () msapiro ! net
[Download RAW message or body]
On 06/21/2015 08:58 PM, Stephen J. Turnbull wrote:
> Yasir Assam writes:
>
> > I noticed that this list, mailman-users@python.org, doesn't add a
> > DKIM header unless the list itself generates the email, i.e. the
> > email you sent to this list only has your DKIM header
> > (d=msapiro.net), whereas the original welcome email has DKIM with
> > d=python.org.
>
> IIUC, Mark has input into, but does not control, policy on
> mail.python.org. People have different experience with, and therefore
> opinions on policy, about these things.
Steve's understanding is correct.
> As Mark already said, according to the standards it is correct and
> good practice to add a DKIM signature to every message you process
> outside of the MTA and then reinject into the Internet mail system.
> In more friendly terms, if you simply pass on the message *exactly* as
> received except for adding "Received" and 2List-Post" to the front of
> the message, you don't need to DKIM sign but it doesn't hurt. But if
> you change the message (eg, by adding a list signature or by adding
> the list name to the Subject field), you *should* DKIM sign.
Right.
But, we are actually dealing with two issues here: DKIM signing as a
general practice and DKIM signing specifically to address DMARC issues.
Yes, it is good practice to DKIM sign for your domain all mail which is
sent by servers in your domain. You are essentially saying yes, I made
transformations to this message that broke its original DKIM signature,
but I am taking responsibility for this message and if my DKIM sig is
valid, I vouch for this mail.
DMARC however puts a more stringent requirement on a message. It says
that if a message is From: a domain that publishes a DMARC policy, and
there isn't a valid SPF or DKIM signature whose domain 'aligns' (i.e. is
the same as in some sense) with the domain in the From: address,
recipients should handle the message in accord with the From: domain's
DMARC policy.
Thus, as a mailing list that makes modifications to messages that break
DKIM sigs, it doesn't help a message From: ...@yahoo.com pass DMARC for
me to DKIM sign it with my domain unless I also change the From: address
to my domain or at least to a domain without a DMARC policy other than
"none".
--
Mark Sapiro <mark@msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe: https://mail.python.org/mailman/options/mailman-users/mailman-users%40progressive-comp.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic