[Mailman-Users] DKIM

Mark Sapiro mark at msapiro.net
Wed Dec 12 17:33:19 EST 2018 

On 12/12/18 11:35 AM, Bernie Cosell wrote:
> I have two questions about the DKIM/spf munging that mailman does.
> 
> First: when it replaces the 'from' with a munged address [replacing the name 
> with "name via thislist" does it stick the original email address somewhere in the 
> message, so if a listmember wanted to reply to the original sender they'd be able 
> to?  I thought it did but I just looked through one and didn't see the poster's 
> original email.  [actually, let me amend that: I see that his email addr is in the 'cc' 
> field -- did mailman do that or did he?]


Mailman did that. Mailman puts the original From: address in either Cc:
or Reply-To:; which one depends on other list settings. The intent is
that a reasonably comliant MUA will do the same thing with 'reply' and
'reply all' whether or not the From: is munged.

This generally means the original From goes in Reply-To: unless the list
mungs the Reply-To: in which case it goes in Cc:


> Second, I'm a bit shaky [to say the least..:o)] about how the DKIM stuff all works.  
> I do have access to Unix shell account, so I can do dig and host and such.   If a 
> listmember asks me if "@randomserver.com" is OK to not-get-munged when it 
> posts to the list, what would I do?    Thanks


This is actually, DMARC, not DKIM per se, but use 'dig' or some other
DNS query tool to look up a TXT record associated with the name
_dmarc.randomserver.com. For example

dig txt _dmarc.aol.com

finds

"v=DMARC1; p=reject; pct=100; rua=mailto:d at rua.agari.com;
ruf=mailto:d at ruf.agari.com;"

host -t txt _dmarc.aol.com

returns the same text.

What you are looking for is 'v=DMARC1' which says this is a DMARC policy
record and then the p= value which is the policy which is one of
'reject', 'quarantine' or 'none'.

If your list is set with dmarc_moderation_action other than accept, that
action will be applied to mail From: domains with a policy of 'reject'
and possibly 'quarantine' or 'none' depending on the settings of
dmarc_quarantine_moderation_action and dmarc_none_moderation_action.

Also, if the From: domain is not what is known as an organizational
domain, e.g., some.subdomain.aol.com and that domain doesn't publish a
DMARC policy, you then have to look up the policy of the organizational
domain. For common TLDs like .com, .net, .gov, .org, .edu, etc. the
organizational domain is just the top two levels, e.g. python.org,
aol.com, etc.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list