On Thu, Oct 21, 2021 at 10:42:46PM +0100, David Woodhouse wrote:

quoted

quoted

   (I realize now that all the mail from linux-arm-kernel has been
   getting dropped into my Spam folder -- I normally don't notice since
   I'm usually CCed directly or via some other list on things I wanted
   to see.)

3) Are there other lists for which lore is collecting emails where DKIM
   is persistently broken, and can we fix those lists too?

I would also note that lists.infradead.org should not really be adding its own
DKIM signature to messages it sends out. It doesn't really serve any purpose
unless the From: header is rewritten (but please don't do that either).

No, it matches the Sender: header, which is the entity that actually
submitted the mail to the system (as opposed to the possibly multiple
entities listed in the From: header, which are merely authors of the
message).

I know that's how it was envisioned to work (it's in the DKIM RFC as
recommendation for mailing list operators), but this didn't make it into the
DMARC standard -- DMARC intentionally ignores the Sender: header and will
*always* look at the From: header when performing DKIM validation.
(https://datatracker.ietf.org/doc/html/rfc7489#appendix-A.3)

It was a bad idea in the first place, if you think about it. I can take any
message, add a Sender: header for the domain that I control and force the
validating system to check the DKIM-Signature header that I injected instead
of the signature from the originating domain, thus making any message I touch
pass DMARC verification.

So, I have to double-down on my statement that adding a lists.infradead.org
DKIM signature doesn't actually serve any purpose, at least not when it comes
to appeasing DMARC filters.

-K

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel