Package: debbugs Severity: normal Debbugs forwards messages from bug maintainers with their From lines intact, which is quite problematic for senders whose domains use DMARC, DKIM, and/or SPF.
SPF: Since the forwarded messages aren't coming from one of the sender's domain's mailservers, they violate the domain's SPF policy, if any. DKIM: debbugs modifies the forwarded messages in ways that break their DKIM signatures. DMARC: because SPF and DKIM are both broken in the forward, these messages can't possibly be compliant with domain DMARC policies. As a result, transmission and distribution of these messages is quite unreliable. At the very least these signals make the messages more likely to be interpreted as spam. At most they are completely bounced by some recipients' mail servers. The most obvious solution to this is straightforward: the From line in these messages should be modified to contain the email address of the bug, not the email address of the original sender. The original sender's address can be put in Reply-To and/or indicated in the header in a number of other ways. For example, sometimes something like this is done: From: Jonathan Kamens <j...@kamens.us> becomes: From: "Jonathan Kamens <j...@kamens.us> via" <###@bugs.debian.org> Reply-To: ###@bugs.debian.org, j...@kamens.us There are different implications of the various ways this can be done, so some thinking does need to go into the best way to do it, but it's not an unsolvable problem. If there is resistance to making this change across the board, then another possibility is to only modify the headers on messages which have DMARC policies and/or restrictive SPF policies. MailMan has a mode which behaves this way. In any case the original DKIM signature from the sender should be removed since the messages is being modified. I'm not sure whether debbugs already does this. I would be happy to "put my money where my mouth is" and work on fixing this and submitting a patch. However, I am reluctant to just "jump in" and send in a patch without some engagement from the debbugs maintainers first, because (a) as noted above, some consideration needs to be given to the ramifications of various solutions before one is chosen, and I don't think I'm in any position to do that unilaterally, and (b) because this is a relatively old problem with a relatively straightforward solution, I suspect that there may be non-technical reasons why a fix hasn't been implemented. I'm reluctant to do work that is not going to be accepted for philosophical or political reasons. Jonathan Kamens -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.4.0-4-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
