Hi,
Monitoring the mail system, I've found that Google still has us rate limited. Trying to understand why, I've come up with the following reason:
Google verifies DKIM as part of their criteria for identifying SPAM. We sign our outgoing mail, so, there shouldn't be a problem. However, some mail *already* has a DKIM signature. Still no problem, but most mailing lists change the Subject: line by prepending the mailing list name.
Now *that*'s a problem: it invalidates the pre-existing signature! So, simply strip the old DKIM headers, you might say. That will make the problem go away. Well, in fact it probably doesn't: domains which use DKIM can also state a policy that all mail from the domain should be signed. Stripping the DKIM signature makes the mail invalid with respect to that policy, again triggering the SPAM rules.
My conclusion: we have to stop munging the Subject: line in the mailman mailing lists.
Any comments?
On 04 Feb 2015, at 13:46, Erik Huelsmann ehuels@gmail.com wrote:
Hi,
Monitoring the mail system, I've found that Google still has us rate limited. Trying to understand why, I've come up with the following reason:
Google verifies DKIM as part of their criteria for identifying SPAM. We sign our outgoing mail, so, there shouldn't be a problem. However, some mail *already* has a DKIM signature. Still no problem, but most mailing lists change the Subject: line by prepending the mailing list name.
Now *that*'s a problem: it invalidates the pre-existing signature! So, simply strip the old DKIM headers, you might say. That will make the problem go away. Well, in fact it probably doesn't: domains which use DKIM can also state a policy that all mail from the domain should be signed. Stripping the DKIM signature makes the mail invalid with respect to that policy, again triggering the SPAM rules.
My conclusion: we have to stop munging the Subject: line in the mailman mailing lists.
Any comments?
mailman also adds a “footer”, like
Clo-devel mailing list Clo-devel@common-lisp.net http://mailman.common-lisp.net/cgi-bin/mailman/listinfo/clo-devel
so we need to do more than just stop re-writing the subject line.
From [wikipedia] [1]:
These problems are exacerbated when filtering or relaying software adds actual changes to a message. Although legitimate, the footer addition operated by most mailing lists and many central antivirus solutions, formally, are exactly the kind of message tampering that DKIM has been designed to guard against. The solution is to whitelist known forwarders, e.g. by SPF. Alternatively, a forwarder can verify the signature, modify the e-mail, and re-sign the message with a Sender: header. However, it should be noted that this solution has its risk with forwarded 3rd party signed messages received at SMTP receivers supporting the RFC 5617 ADSP protocol. Thus, in practice, the receiving server still has to whitelist known message streams, i.e. by DKIM.
[1]: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
This article claims that mailman "supports standards needed to avoid this problem:"
https://sites.google.com/site/oauthgoog/mlistsdkim
Hi Dave,
On Wed, Feb 4, 2015 at 2:58 PM, Dave Cooper david.cooper@genworks.com wrote:
This article claims that mailman "supports standards needed to avoid this problem:"
Ok, but that system requires our domain to be trusted by Google. Since we're currently rate limited, I don't think we're in a position to ask for this trust.... To me it seems like it's better to generate mails which have validating DKIM signatures by stopping to rewrite subject and body.
However, it seems like something we'll need to announce. Bringing it up here so people get a chance to react to that. Also, if others have experience to the contrary, it'd of course be great to hear that this isn't a solution, if it isn't.... (Mark's remark that we can't modify the body either seems like a remark to that extent.)
-
Dave Cooper -
Erik Huelsmann -
Mark Evenson