[arch-devops] Making our mailing lists DMARC/DKIM safe (drop subject prefix)

Florian Pritz bluewind at xinu.at
Fri May 27 15:36:08 UTC 2016


Hi,

First some background: DKIM allows a mail server to sign mails similar
to GPG, except that the public key is distributed via DNS. DMARC allows
a domain to define a policy (do nothing, quarantine or reject) for mails
that do not possess a valid DKIM signature (modified content, spam
mail without a sig, ..).

DKIM signatures sign both, the body and the header of the mail. The
header fields that are signed differ between setups, but generally it's
at least From, To and Subject.

Currently, most/all of our mailing lists prepend the listname to the
subject, thus invalidating any DKIM signature. Some lists also add a
footer to the body of the message (arch-events, possibly more).

I propose that we configure our lists not to alter messages in any way
so that existing DKIM signatures remain valid. This would mean that
the list name will no longer be in the subject so everyone who currently
uses that to filter list traffic would have to switch to using the
List-ID header. This is also a much more reliable way to filter list
traffic since sometimes mails have multiple tags in the subject if they
are sent to multiple lists. Also private messages may still contain the
subject tag even if they were never sent via the list.

I don't see any benefit in having the listname in the subject since
mails are generally filtered into dedicated mailboxes per list anyway.
Changing the subject just means that when browsing that mailbox all
subjects start with the same useless text.

I know multiple lists that have already switched to keeping mails
as-is. Among them are the bugtraq and cgit lists as well as some
official and third-party dovecot and postfix related lists.

If this proposal is accepted by us, I will send it out to all our
lists with a 2 week lead time before I start changing anything so that
people have a chance to update their filters if necessary.

Opinions?


PS: I'd prefer to keep discussion on arch-devops at lists.archlinux.org.
I'm just posting this to arch-dev-public so all devs/TUs are aware of
it.

Florian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20160527/1860ff4d/attachment.asc>


More information about the arch-devops mailing list