injected body trailers

David Woodhouse dwmw2 at infradead.org
Thu Oct 21 16:41:28 PDT 2021 


On 22 October 2021 00:33:02 BST, Konstantin Ryabitsev <konstantin at linuxfoundation.org> wrote:
>On Fri, Oct 22, 2021 at 12:00:43AM +0100, David Woodhouse wrote:
>> > thus making any message I touch pass DMARC verification.
>> 
>> 
>> Er… "thus making any message I *send* pass DMARC verification".
>> 
>> The Sender is the entity who sends the message. Who submits the message
>> to the mail system for transport. The Sender in this case is Mailman,
>> and the DKIM signature correctly passes verification.
>> 
>> All else is based on a fundamental misunderstanding of what the Sender:
>> and From: headers actually mean.
>
>David, I'm happy to argue whether this makes sense or not, but the fact of the
>matter remains that DMARC specifically ignores the Sender: header, so any
>email gateway performing DMARC validation will mark messages sent by
>lists.infradead.org as failing the check. Unfortunately, anti-phishing
>policies at many companies increasingly quarantine or reject messages failing
>DMARC verification, so DMARC non-compliant mail will be increasingly not
>received by list subscribers.
>
>DMARC and mailing lists are not mutually incompatible, but to make it work
>correctly the list operators must either not touch the message bodies and any
>pre-existing headers, or rewrite From: to be coming from the mailing list
>domain. In the context of patches, I would strongly argue that the former is
>the only reasonable solution.

The only reasonable solution to the fact that DKIM/DMARC is fundamentally misdesigned, and failed to adopt any of the known workarounds that were being floated during its inception? That like so many of the other email snake oil "solutions", it required widescale changes in how email operates in the real world, in order to make its false assumptions come true?

I would posit that another reasonable "solution" to that problem is *not* to pander to its stupidity, but instead just declare it "yet another bad idea on the Internet" and ignore it.

But it's up to the owner of the individual mailing list. Nothing prevents them from configuring it as DMARC demands. Unless they've forgotten the list password, in which case I can reset it for them.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

More information about the linux-arm-kernel mailing list