[openssl-dev] Mailman version used by OpenSSL is misconfigured and/or broken in relation to DKIM
Kurt Roeckx
kurt at roeckx.be
Tue Aug 18 08:30:37 UTC 2015
On Mon, Aug 17, 2015 at 10:55:53AM -0700, Quanah Gibson-Mount wrote:
> However, there are two solutions to that allow adding a footer when list
> subscribers may have DKIM signed email:
>
> a) As noted in the OpenDKIM README, in the "Mailing Lists" section, if the
> list traffic is itself has DKIM signing in place, it will override the DKIM
> signing done by the sender. This allows the footer modification to the
> message to no longer be an issue.
This fixed the DKIM problem, not the DMARC issue. For DMARC the
signature should come from the same as the From address. Since
SPF is going to fail with your From, the receiver will need to see
DKIM that matches the From. For DMARC either SPF or DKIM should
be valid and match the From field, while for SPF and DKIM itself
the From doesn't matter.
So really the only options for DMARC are:
- Do not touch either the signed headers or body at all, leave From
intact, keep the DKIM signatures. But even then it might break.
- Change the From. You can leave the DKIM signature in tact or
remove it, it doesn't change anything.
- Do not allow people with a p=reject DMARC policy on the list
> b) Mailman can be configured to strip DKIM headers entirely from incoming
> email. This is generally considered bad practice, but it does allow the
> emails to get delivered to all list members w/o issue.
No it doesn't, see above. The DMARC test should always fail if you
do that.
Kurt
More information about the openssl-dev
mailing list