[heroes] RFC - removing DKIM signatures on mailing lists ?
Some/many people use DKIM signatures when posting to our lists, with or without their knowledge. Once we have received a message, we make some modifications - change Subject, append text, remove headers, which invalidates the signature, potentially causing a reject. I was wondering if anyone had any thoughts on $SUBJ ? as far as I can see, it could potentially improve on the current situation, although I have not heard of many problems. I suspect most mail admins are well aware of the issue with mailing lists and DKIM, DMARC et al. As an experiment, I have already implemented $SUBJ for a couple of our lists, opensuse, opensuse-support and opensuse-factory. -- Per Jessen, Zürich (17.9°C) Member, openSUSE Heroes -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
On 01/10/2020 13.14, Per Jessen wrote:
Some/many people use DKIM signatures when posting to our lists, with or without their knowledge. Once we have received a message, we make some modifications - change Subject, append text, remove headers, which invalidates the signature, potentially causing a reject.
I was wondering if anyone had any thoughts on $SUBJ ? as far as I can see, it could potentially improve on the current situation, although I have not heard of many problems. I suspect most mail admins are well aware of the issue with mailing lists and DKIM, DMARC et al.
As an experiment, I have already implemented $SUBJ for a couple of our lists, opensuse, opensuse-support and opensuse-factory.
btw: we started to DKIM sign mails from suse.com and noticed that opensuse MLs are among those that break the signatures. There is a proposal that we stop signing the "Subject" header, which would make it easier to keep the signature valid. Why do we remove headers? Are those signed? we currently sign h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; and then MLs could stop appending text. It was already adding garbage to base64-encoded mails
Bernhard M. Wiedemann wrote:
btw: we started to DKIM sign mails from suse.com and noticed that opensuse MLs are among those that break the signatures.
Yep, that's also why I am asking :-)
There is a proposal that we stop signing the "Subject" header, which would make it easier to keep the signature valid.
Why do we remove headers? Are those signed?
It's a good question - these are the ones we remove (by default): Return-Receipt-To: Content-Length: X-Confirm-Reading-To: X-rmrqc: List-Subscribe: Notice-Requested-Upon-Delivery-To: Disposition-Notification-To: Registered-Mail-Reply-Requested-By: X-Priority: Precedence: List-Post: List-Help: List-Owner: List-Unsubscribe: X-Mailinglist: X-MIME-Notice: -- Per Jessen, Zürich (19.4°C) Member, openSUSE Heroes -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org
participants (2)
-
Bernhard M. Wiedemann
-
Per Jessen