On 12/15/14, 4:24 AM, A. Schulze wrote:
wietse:
DMARC "verifies" the From: header against SPF, DKIM or both, but
only a poorly-informed person would require that the From: address
*always* verifies with SPF.
for that reason it's more important the existing DKIM signature
is still valid when the mlm redistribute the message to all subscribers.
Unfortunately there are some rare situations a message must be modified.
Well known example: Mailman sometimes change the message encoding.
Not so often known: The mlm MTA submit to a subcriber MTA not capable
8BITMIME.
In the last case a message is also modified and will not pass DMARC test
even if the MLM host is known to "usually" not modifying messages.
Actually, I find that it is "normal" for the mailing list manager to
make changes that will
cause the message to fail a DKIM signature, and if fact it is required
by law in some
jurisdiction (some jurisdiction REQUIRE an unsubscribe link in every
message from a
mailing list). It is also very common to add a list code to the subject
for filtering.
And exactly to debug such situations I with postfix could log
"here is a message with 8 bit content and the remote MTA does not
announce 8BITMIME. I have to recode the message and that will
invalidate
potential existing DKIM signatures"
The other option is to convert every message to 7bit before signing.
Doesn't sound as a strategy for the future ...
It would be unreasonable to expect that mailing list managers replace
the From: address of mailing list postings to match the list server's
IP addresses.
Ehm,
ironically that's exactly the solution preferred on the dmarc-discuss
ml :-/
Andreas
Yes, From replacement is currently, at least one of, the preferred
method to handle DMARC
issues with mailing list, as proposed by the DMARC group and the major
mail systems
that are causing the DMARC problem.
--
Richard Damon
