DKIM on messages

  106185
July 8, 2019 19:29 scott@exussum.co.uk
Hi all,

Minor issue really but a fair chunk of the emails I get from the 
internals list end up in spam due to what looks like the DKIM signatures 
being incorrect.

If a message is DKIM signed, the signed part usually contains subject 
and body, this is then hashed and appended to the headers, after its 
been sent to the mailing list (where the signature is correct) the 
mailing list then prepends [PHP-DEV] to the subject and sometimes (not 
sure when but its not every request) puts an unsubscribe link in the 
body. As the message content has now changed, the signature also fails 
to verify.

It looks like ezmlm is used, there is an option for headerremove which 
DKIM-Signature could be added to 
(https://manpages.debian.org/experimental/ezmlm-idx/ezmlm-send.1.en.html) 
  this would prevent the signature being attached and therefore pass.

I imagine this is a fairly small issue, but it seems an easy fix also 
for someone with access to the mailing list.

Would it be possible for this to be applied ? as mentioned earlier this 
isnt major but I can't imagine I am the only one who has failures 
because of this.


Thanks

Scott
  106186
July 8, 2019 20:57 tim@bastelstu.be (=?UTF-8?Q?Tim_D=c3=bcsterhus?=)
Scott,

[using DKIM and (lax) DMARC myself, usually just lurking]

Am 08.07.19 um 21:29 schrieb scott@exussum.co.uk:
> It looks like ezmlm is used, there is an option for headerremove which > DKIM-Signature could be added to > (https://manpages.debian.org/experimental/ezmlm-idx/ezmlm-send.1.en.html)  this > would prevent the signature being attached and therefore pass.
This will *still* break anything using DMARC, because neither DKIM nor SPF is valid. Anything *not* using DMARC is better off, though. Ideally the email modifications are disabled entirely. The emails can be reliably detected using the List-Id header and filtered based on it. Best regards Tim Düsterhus
  106205
July 10, 2019 11:41 scott@exussum.co.uk (Scott Dutton)
On 2019-07-08 15:57, Tim Düsterhus wrote:

> This will *still* break anything using DMARC, because neither DKIM nor > SPF is valid. Anything *not* using DMARC is better off, though. > > Ideally the email modifications are disabled entirely. The emails can > be > reliably detected using the List-Id header and filtered based on it. > > Best regards > Tim Düsterhus
Hi Tim The suggested method is not modifying the emails as you suggested, unsubscribe links should be handled by adding a List-Unsubscribe header (which almost all major providers use to show inline unsubscribe links) though that needs a one click link which the current link is not (so again a little more work) Im not sure how big of a change that will be (as it will be many people updating filters I assume) but yeah that's a much better way. I assume people must get dmarc reports now as the SPF and DKIM checks will both fail currently ? Thanks Scott