On 01/10/2020 13.14, Per Jessen wrote:
Some/many people use DKIM signatures when posting to our lists, with or without their knowledge. Once we have received a message, we make some modifications - change Subject, append text, remove headers, which invalidates the signature, potentially causing a reject.
I was wondering if anyone had any thoughts on $SUBJ ? as far as I can see, it could potentially improve on the current situation, although I have not heard of many problems. I suspect most mail admins are well aware of the issue with mailing lists and DKIM, DMARC et al.
As an experiment, I have already implemented $SUBJ for a couple of our lists, opensuse, opensuse-support and opensuse-factory.
btw: we started to DKIM sign mails from suse.com and noticed that opensuse MLs are among those that break the signatures. There is a proposal that we stop signing the "Subject" header, which would make it easier to keep the signature valid. Why do we remove headers? Are those signed? we currently sign h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; and then MLs could stop appending text. It was already adding garbage to base64-encoded mails