[Mailman-Users] DKIM best practise

Sun Jun 21 17:46:21 CEST 2015

On 06/20/2015 06:39 PM, Yasir Assam wrote:
> 
> I'm using mailman 2.1.18 on Debian Jessie with exim4. I have full
> personlisation and verp turned on.
> 
> What should I do about DKIM?
> 
> At the moment I preserve the original poster's DKIM header and my list's
> MTA also adds DKIM to all outgoing mail.

This is the good and is the best you can do.

> If I set from_is_list to Munge, hotmail users can't reply to the list,
> even when they hit Reply All (if I try doing Reply All from a hotmail
> account, I only see the sender's address, not the list address). If it
> wasn't for this hotmail problem, I'd probably prefer to have a munged
> from header.

With Munge From and Full Personalization, delivered posts will be From:
the list with Reply-To: the poster and To: the recipient. Hotmail is
taking the Reply-To: as overriding the From: even for reply-all and with
Full Personalization, the From: is the only header (other than
List-Post) with the list address.

> If I set from_is_list to No, the hotmail Reply All problem goes away,
> but now Yahoo-sent email ends up in Yahoo's spam (i.e. if
> bob at yahoo.com.au sends to list at example.com, bob receives the email he
> just posted in his spam folder, not in his inbox). I'm specifically
> talking about a yahoo.com.au address (I haven't tried yahoo.com yet).

Yahoo.com.au publishes DMARC p=none. Yahoo.com publishes DMARC p=reject.
Without some Munge From, Wrap Message or anonymous_list transformation,
yahoo.com mail will not be accepted by Yahoo, Hotmail and many other ISPs.

As far as the mail from yahoo.com.au ending up in spam, removing the
broken DKIM sig may help (REMOVE_DKIM_HEADERS = 2). It shouldn't matter
(see below), but it may help.

> Just to be clear, when from_is_list is No, the DKIM header I'm adding is
> for the list domain, e.g. if the list is list at example.com then
> d=example.com in my added DKIM header.

> Here's an example Authentication-Results added by a gmail subscriber
> receiving a post from a yahoo.com.au subscriber (names changed):
> 
> Authentication-Results: mx.google.com;
>        spf=pass (google.com: domain of
> list-bounces+bob=gmail.com at example.com designates x.x.x.x as permitted
> sender) smtp.mail=list-bounces+bob=gmail.com at example.com;
>        dkim=pass header.i=@example.com;
>        dmarc=fail (p=NONE dis=NONE) header.from=yahoo.com.au
> 
> So what is the recommended way of doing this? Should I not bother adding
> a DKIM header to mailman-sent emails? Should I strip the original DKIM
> header (REMOVE_DKIM_HEADERS) ?

What you are doing is correct and good practice. Removing incoming DKIM
headers probably won't help. The DKIM standard says an invalid DKIM
signature and no DKIM signature SHOULD be treated the same (RFC 6376/STD
76, sec 6.3)

> Is there any way I can get hotmail to reply to the list when the From:
> header is munged? Is munging considered bad form (when not mitigating
> DMARC reject policies)?

There are a few things you can do.

You can turn off Full Personalization which will leave the list address
in To: and Hotmail's reply-all should include it.

You can set reply_to_list to this list which will put the list address
in Reply-To: (along with the poster's address), but this will make it
more difficult to reply only to the poster as a simple reply will also
include the list.

There are some changes in this area in 2.1.19 (see
<https://bugs.launchpad.net/mailman/+bug/1407098>), but I don't think
they help your situation.

You could modify CookHeaders.py to add the poster's address to Cc:
rather than Reply-To: in your case.

You should also consider using dmarc_moderation_action rather than
from_is_list to only Munge From when 'necessary'.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan