[Mailman-Developers] feature request: one-click setting to preserve DKIM

Murray S. Kucherawy msk at cloudmark.com
Tue Dec 6 20:54:01 CET 2011 

> -----Original Message-----
> From: mailman-developers-bounces+msk=cloudmark.com at python.org [mailto:mailman-developers-bounces+msk=cloudmark.com at python.org] On Behalf Of Terri Oda
> Sent: Tuesday, December 06, 2011 11:36 AM
> To: mailman-developers at python.org
> Subject: Re: [Mailman-Developers] feature request: one-click setting to
> preserve DKIM
> 
> There were a lot of "it depends" in your email, so maybe I've mis-read,
> but it sounds to me like the long-term path of least user/list admin
> hassle for Mailman probably is to just re-sign the messages.  Except
> that there's no standard for third parties doing re-signing, and no
> one's sure how to interpret it if we do?

Right, except for the last bit.  The common practice at the moment is to evaluate (the reputation of) any DKIM domain whose signatures survive transit.  They are the only bits of the message guaranteed to be "true" in some way (except maybe the details of the last Received: field, because it's yours).  In the case of author-signed mail transiting a list that re-signs, it's most likely I'll get the latter, but I might also get the former.  This is basically what RFC6377 says.

There is some automatic, intuitive desire to evaluate the message's author domain rather than the message's re-signer domain(s).  That's why there's all this pressure to tweak MLMs and other components of the infrastructure to permit author domain signatures to survive to the ultimate recipient.  DKIM doesn't require this, but intuition would really like it to be so.

It's not really true that "it depends" permeates DKIM's definition.  It's pretty clear what DKIM does and doesn't do.  But there's a lot of need for stuff just outside the edges of what DKIM does.  That's what's creating all this activity around MLMs, reputation, and other adjacent topics.

> Which is a pity, because this seems like a great opportunity for us to
> trailblaze and help correct a mistaken assumption in DKIM.

Which assumption is that?

-MSK

More information about the Mailman-Developers mailing list