injected body trailers

Konstantin Ryabitsev konstantin at linuxfoundation.org
Thu Oct 21 16:33:02 PDT 2021


On Fri, Oct 22, 2021 at 12:00:43AM +0100, David Woodhouse wrote:
> > thus making any message I touch pass DMARC verification.
> 
> 
> Er… "thus making any message I *send* pass DMARC verification".
> 
> The Sender is the entity who sends the message. Who submits the message
> to the mail system for transport. The Sender in this case is Mailman,
> and the DKIM signature correctly passes verification.
> 
> All else is based on a fundamental misunderstanding of what the Sender:
> and From: headers actually mean.

David, I'm happy to argue whether this makes sense or not, but the fact of the
matter remains that DMARC specifically ignores the Sender: header, so any
email gateway performing DMARC validation will mark messages sent by
lists.infradead.org as failing the check. Unfortunately, anti-phishing
policies at many companies increasingly quarantine or reject messages failing
DMARC verification, so DMARC non-compliant mail will be increasingly not
received by list subscribers.

DMARC and mailing lists are not mutually incompatible, but to make it work
correctly the list operators must either not touch the message bodies and any
pre-existing headers, or rewrite From: to be coming from the mailing list
domain. In the context of patches, I would strongly argue that the former is
the only reasonable solution.

-K



More information about the linux-arm-kernel mailing list