openssl-users: DKIM, DMARC and all that jazz, and what it means to us

Jakob Bohm jb-openssl at
Mon Feb 18 21:51:09 UTC 2019

On 16/02/2019 00:02, Richard Levitte wrote:
> On Fri, 15 Feb 2019 18:33:30 +0100, Lewis Rosenthal wrote:
>> ...
>> I strongly encourage you to re-think this. Everyone else on this list
>> whose server has been properly configured to not trash legitimate
>> messages must now be inconvenienced by the needs of a seemingly
>> tone-deaf provider. (FWIW, I go through this with addresses
>> all the time; the fault lies there, not in the list configuration - so
>> long as the list configuration follows the applicable RFC guidelines.)
> Well, if we change the subject of a DKIM signed message, don't we
> break it?  (I'm not sure how applicable that's with Google, as we
> received the same kind of bounce for message originating at
> (there is a DMARC record with p=none, so shouldn't affect
> anything as far as I understand) and no DKIM signature...  but still,
> when there is one...
Indeed it does break it (unless the signature unusually doesn't
cover the Subject).   According to the RFC, a DKIM signature can
choose an almost arbitrary subset of headers to cover (including
covering the absence of a header type), plus a choice between
signing the entire body or only the first N lines (for arbitrary
N).  That "first N lines" option is how to create a DKIM signature
that allows appending a list footer.

As for p=none, this is what my rule 5 covered, just because a DMARC
record says p=none doesn't remove the requirement for messages to
be correct, only lowers the default error handling to a warning (I
receive daily mails listing which IP addresses spoofed our domains
by sending out mails with the not doing so, as is required by the
DMARC RFC, and I did so when I had p=none).

Having a DMARC record without DKIM signatures (including DKIM
signing mails relayed with as From: address) is either
an RFC violation or very close to one.  So I would suggest setting
that up.  There are probably generic plugins for Postfix already,
but check the DMARC and DKIM RFC rules for how to handle the various
special address combinations that occur in mailing list traffic
(such as having Sender and From with different domains).  Because
the plugins may not have been tested for that.


Jakob Bohm, CIO, Partner, WiseMo A/S.
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list