[Mailman-Developers] DomainKeys support

Stephen J. Turnbull stephen at xemacs.org
Fri Aug 5 07:49:39 CEST 2005 

>>>>> "Nadim" == Nadim Shaikli <shaikli at yahoo.com> writes:

    Nadim> I've noticed of late that emails sent by yahoo users that
    Nadim> get relayed by mailman end-up without the domainkey header
    Nadim> entry and thus in various yahoo users' bulk (ie. spam)
    Nadim> folder.  Is there anything that can be done to remedy this
    Nadim> issue ?  Can a site's mailman application add a locally
    Nadim> qualified domainkey entry header (or keep the original
    Nadim> entry as-is) ?

According to the DomainKeys FAQ:

   How does DomainKeys work with mailing lists?

   Mailing lists that do not change the content or re-arrange or append
   headers will be DomainKey compatible with no changes required. Mailing
   lists that change the message and headers should re-sign the message
   with their own private key and claim authorship of the message.

Unfortunately, standard mailing lists will change/append certain
headers, breaking the signature.  Specifically, Mailman does change
the Sender header, which means DomainKeys can't just pass through.
You need to re-sign.[1]

Based on that page, AFAICT it would be a bad idea for list management
software like Mailman to support DomainKeys itself[1], except that it
should optionally be configured to check for DomainKeys flags from the
incoming MTA, and optionally submit the mail to the DomainKeys
submission service port instead of SMTP for outgoing nail.  Mailman
supports both of those configurations already.  Then you should get an
MTA that supports DomainKeys (see the DomainKeys FAQ for a list), and
you'll also have to fix up your DNS to publish the keys.

Note that it's unclear whether implementing DomainKeys yourself will
help very much, as it depends on whether the users care which domain
has been authenticated, or if simply proving that you're not a spoof
is enough.  Probably most users will just look for unspoofed mail and
let it through, and you'll be fine, but that depends on your user
base.  You may have to educate them to add your domain to the list
they accept.

Footnotes: 
[1]  It looks to me like "claim authorship" is in error.  As far as I
can tell from the DomainKeys page, DomainKeys verifies the sending
domain, not the author's domain, although the page refers to authors
and From several times.

[2]  Mailman is just one user of the typical system, and is not the
domain "owner".  Since DomainKeys authenticates domains rather than
users, it should be done by the domain's mail server, not by user mail
agents.  (You have to reconfigure the DNS even if the mailing list
manager does the signing, so even with signing implemented in Mailman
you would need very high administrative privilege to implement
DomainKeys.)

-- 
School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.

More information about the Mailman-Developers mailing list