[Mailman-Users] DKIM best practise

Stephen J. Turnbull stephen at xemacs.org
Mon Jun 22 05:58:05 CEST 2015 

Yasir Assam writes:

 > I noticed that this list, mailman-users at python.org, doesn't add a
 > DKIM header unless the list itself generates the email, i.e. the
 > email you sent to this list only has your DKIM header
 > (d=msapiro.net), whereas the original welcome email has DKIM with
 > d=python.org.

IIUC, Mark has input into, but does not control, policy on
mail.python.org.  People have different experience with, and therefore
opinions on policy, about these things.

As Mark already said, according to the standards it is correct and
good practice to add a DKIM signature to every message you process
outside of the MTA and then reinject into the Internet mail system.
In more friendly terms, if you simply pass on the message *exactly* as
received except for adding "Received" and 2List-Post" to the front of
the message, you don't need to DKIM sign but it doesn't hurt.  But if
you change the message (eg, by adding a list signature or by adding
the list name to the Subject field), you *should* DKIM sign.

 > On my list, I'm adding a DKIM header for the list domain, even
 > though the From: header isn't the list. In other words, if
 > alice at gmail.com posts to list at example.com, my MTA was still adding
 > a d=example.com DKIM header when resending her email via the list,
 > even when From: is alice at gmail.com.
 > 
 > Is it right to do this?

Yes.

 > I subscribed to mailman-users at python.org using a Yahoo address, and
 > interestingly, 2 emails ended up in spam (one of which was my original
 > post, which is from a non-yahoo address).

Yahoo and Hotmail are a child's garden of diseases when it comes to
their behavior in the mail system.  Outlook and Gmail also cause
problems.  It would be OK if there was only one 800 pound gorilla
around, you'd just adapt.  The problem is that there are several, and
they have conflicting requirements.  You can't satisfy them all.

 > This isn't quite true in my case. You're right about all the headers,
 > except that Mailman is adding a CC field with the list address.

I don't think that Mailman adds the CC:.

 > Given that CC contains the list address, you'd expect Hotmail to
 > include it as a recipient when doing Reply All, but it doesn't!

Then you can't workaround both Hotmail's broken MUA and yahoo.com's
idiotic DMARC policy, and provide full reply functionality to people
with decent MUAs.  There may be a workaround for both Hotmail's broken
MUA and yahoo.com.au's spam filtering policy, but we can't design one
without accurate information about yahoo.com.au's policy, and they are
very unlikely to provide it.

The only thing that will satisfy all parties is to turn off all list
decorations: no header or footer in the body, and no change to the
Subject field.

 > > You could modify CookHeaders.py to add the poster's address to Cc:
 > > rather than Reply-To: in your case.
 > 
 > If munging is on, and I put the poster address in CC: rather than
 > Reply-to: won't that mean a single Reply (not Reply All) will go to the
 > list address?

Yes.  It definitely won't go to the poster.

More information about the Mailman-Users mailing list