On April 20, 2019 3:15:18 AM UTC, Peter <pe...@pajamian.dhs.org> wrote:
>On 20/04/19 2:50 PM, Richard Damon wrote:
>> If you look at the background behind DKIM, one of the major impetuses
>> was protecting transactional emails, and protection from attacks like
>> phishing. For these sorts of emails, that stricter protection makes
>> sense. These sorts of emails also aren't sent through mailing lists.
>>
>> Effectively, if you decide to use DKIM to protect your domain's
>outgoing
>> email, then you really need to tell your users about the issue with
>> mailing lists, as the choice to use DKIM basically says that most
>> mailing list should be off limits to your users, as it is very common
>> for mailing lists to break the DKIM signature, so it really is YOUR
>> problem to adjust your DKIM settings and Authorized Usage Policy to
>make
>> your system work for your users. I have to regularly tell users of a
>> mailing list that I run that the reason the list removes their email
>> address out of the From: field is that they are using a broken email
>> system that isn't compatible with the use of mailing list.
>>
>> Note also, these RFCs are just Standards Track, which says that they
>are
>> not yet 'full standards' but still evolving, and I believe that one
>of
>> the issues that needs to be worked out is to figure out how to
>improve
>> their interoperability for general emails with traditional mailing
>lists.
>
>I'm not disagreeing with any of this. It simply boils down to that
>when
>a current RFC recommends a certain practice you shouldn't be surprised
>that people will follow that recommendation. What then follows is that
>
>people who use google, microsoft or other major ESPs that enforce DMARC
>
>will end up either not getting a large portion of messages sent to the
>list, or have to hunt through Spam to find them. At the end of the day
>
>this means that the practical implications of this are problematic at
>best.
>
>It means that I also take issue when Wietse ways that the mailing list
>is DKIM compliant, because clearly that statement is based on the DKIM
>signature not including certain headers that the mailing list alters.
>What might be more accurate is to say that the mailing list is DKIM
>compliant just as long as the DKIM signature doesn't include certain
>headers, some of which are actually recommended to be included by the
>relevant RFCs. When looked at in that light it becomes more clear that
>
>the DKIM compliance of the mailing list is spotty at best.
Not at all. The unusual aspect of this case is the originator including Sender
in the mail sent to the list. Don't do that and it's all fine.
Scott K
