injected body trailers
Konstantin Ryabitsev
konstantin at linuxfoundation.org
Thu Oct 21 15:57:31 PDT 2021
On Thu, Oct 21, 2021 at 10:42:46PM +0100, David Woodhouse wrote:
> > > (I realize now that all the mail from linux-arm-kernel has been
> > > getting dropped into my Spam folder -- I normally don't notice since
> > > I'm usually CCed directly or via some other list on things I wanted
> > > to see.)
> > >
> > > 3) Are there other lists for which lore is collecting emails where DKIM
> > > is persistently broken, and can we fix those lists too?
> >
> > I would also note that lists.infradead.org should not really be adding its own
> > DKIM signature to messages it sends out. It doesn't really serve any purpose
> > unless the From: header is rewritten (but please don't do that either).
>
> No, it matches the Sender: header, which is the entity that actually
> submitted the mail to the system (as opposed to the possibly multiple
> entities listed in the From: header, which are merely authors of the
> message).
I know that's how it was envisioned to work (it's in the DKIM RFC as
recommendation for mailing list operators), but this didn't make it into the
DMARC standard -- DMARC intentionally ignores the Sender: header and will
*always* look at the From: header when performing DKIM validation.
(https://datatracker.ietf.org/doc/html/rfc7489#appendix-A.3)
It was a bad idea in the first place, if you think about it. I can take any
message, add a Sender: header for the domain that I control and force the
validating system to check the DKIM-Signature header that I injected instead
of the signature from the originating domain, thus making any message I touch
pass DMARC verification.
So, I have to double-down on my statement that adding a lists.infradead.org
DKIM signature doesn't actually serve any purpose, at least not when it comes
to appeasing DMARC filters.
-K
More information about the linux-arm-kernel
mailing list