[Mailman-Users] DKIM best practise

Mark Sapiro mark at msapiro.net
Tue Jun 23 07:02:37 CEST 2015 

On 06/21/2015 08:58 PM, Stephen J. Turnbull wrote:
> Yasir Assam writes:
> 
>  > I noticed that this list, mailman-users at python.org, doesn't add a
>  > DKIM header unless the list itself generates the email, i.e. the
>  > email you sent to this list only has your DKIM header
>  > (d=msapiro.net), whereas the original welcome email has DKIM with
>  > d=python.org.
> 
> IIUC, Mark has input into, but does not control, policy on
> mail.python.org.  People have different experience with, and therefore
> opinions on policy, about these things.


Steve's understanding is correct.


> As Mark already said, according to the standards it is correct and
> good practice to add a DKIM signature to every message you process
> outside of the MTA and then reinject into the Internet mail system.
> In more friendly terms, if you simply pass on the message *exactly* as
> received except for adding "Received" and 2List-Post" to the front of
> the message, you don't need to DKIM sign but it doesn't hurt.  But if
> you change the message (eg, by adding a list signature or by adding
> the list name to the Subject field), you *should* DKIM sign.


Right.

But, we are actually dealing with two issues here: DKIM signing as a
general practice and DKIM signing specifically to address DMARC issues.

Yes, it is good practice to DKIM sign for your domain all mail which is
sent by servers in your domain. You are essentially saying yes, I made
transformations to this message that broke its original DKIM signature,
but I am taking responsibility for this message and if my DKIM sig is
valid, I vouch for this mail.

DMARC however puts a more stringent requirement on a message. It says
that if a message is From: a domain that publishes a DMARC policy, and
there isn't a valid SPF or DKIM signature whose domain 'aligns' (i.e. is
the same as in some sense) with the domain in the From: address,
recipients should handle the message in accord with the From: domain's
DMARC policy.

Thus, as a mailing list that makes modifications to messages that break
DKIM sigs, it doesn't help a message From: ... at yahoo.com pass DMARC for
me to DKIM sign it with my domain unless I also change the From: address
to my domain or at least to a domain without a DMARC policy other than
"none".

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list