Andrei Borzenkov wrote:
Right now as you already noted mailman adds footer which always invalidates original DKIM signature.
Yup.
And SPF is fundamentally incompatible with DMARC. Still apparently messages are not bounced, right? If body is altered anyway, does it matter if you also alter header additionally?
Nope, that does not matter - invalid is invalid, it can't get any more invalid :-)
Still apparently messages are not bounced, right?
Some _are_ being quarantined, e.g. by google. See my reply further down.
As others noted, it's mostly a matter of serializing any modification in a correct order, isn't it?
Not quite, no. The only real alternative we have is to sign the redistributed messages ourselves, but now the message will be coming from the list, not from the original sender. This option was dismissed as being the least user friendly.
Actually the real alternative seems to be ARC (Authenticated Received Chain), at least long term. As mentioned in
https://dmarc.org/2019/07/arc-protocol-published-as-rfc-8617/
mailman seems to support it.
I have not yet looked at ARC, it is very new I believe. Also, this whole DMARC debacle is being driven by SUSE, not openSUSE.
Especially, given, that mailman adds a complete footer to every mail (for good reasons). Why is it okay to alter the body, but not the subject? Any alterations had to be done before calculating the hashes anyway.
Don't worry, the footer will be going away too. I have just not yet managed to find the magic mailman incantation that lets me override the default footers. (no joke, my overrides simply don't work).
Still - why it does not cause bounces even though openSUSE lists apparently stopped stripping off DKIM-Signature which are invalidated?
It is a very good point, one I have hesitated bringing up myself. Frankly, I have my serious doubts about the true efficiency of DMARC. The large providers may well implement DMARC, certainly, but around the world there will be a gazillion of smaller providers and mailservers that simply don't care or do not have the staff with appropriate technical skills. -- Per Jessen, Zürich (1.9°C) Member, openSUSE Heroes