On 27 Mar 2019, at 3:51, Matus UHLAR - fantomas wrote:
On 26 Mar 2019, at 14:47, Matus UHLAR - fantomas wrote:
if the mailing list doesn't modify existing headers, DKIM signatures
are
valid but they don't align, so DMARC policy is violated.
On 26.03.19 15:40, Bill Cole wrote:
No: without modification of From, the original DKIM signature does
align with From, which is good enough that DMARC can pass IF the
signature is valid.
From what I know, the header From: (DKIM) is supposed to be aligned
with
envelope from (SPF), which is not applicable for lists that keep
header
From: but use their own envelope from.
That is a misunderstanding of DMARC alignment. See
https://tools.ietf.org/html/rfc7489#section-3.1
If the From domain has a DMARC record, then at least one of DKIM and/or
SPF must authenticate a domain aligned to the From domain. Mailing lists
break alignment to SPF by necessity, so SPF authentication is not
relevant to DMARC and mailing lists. If the original From domain is used
in a DKIM signature, the mailing list must either perfectly avoid
breaking the signature validity (which is harder than it seems) or
change the From header so that its domain no longer has a DMARC record.
https://en.wikipedia.org/wiki/DMARC#Mailing_lists
Wikipedia is not a good reference for any technical standard. In this
case, that section it is at best misleading and (as I read it,) simply
wrong.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
