openssh-unix-dev DMARC-related settings (was Re: scattered thoughts on connection sharing)

James Ralston ralston at pobox.com
Sun Jul 21 06:30:56 AEST 2024


On Thu, Jul 18, 2024 at 5:14 AM Stuart Henderson <stu at spacehopper.org> wrote:
> The mail admins can choose what is covered by the DKIM signature.
> In the case of barclays.com there are various headers (which I think
> make it through the mailing list untouched) but also the body, which
> does not; a footer with the list URL is added.

The real issue here is that the Mailman configuration for the
openssh-unix-dev list does not appear to set `dmarc_moderation_action`
(in `Privacy options` - `Sender filters`) to either `Munge From` or
`Wrap Message`, which is necessary for lists where either of the
following is true:

1. The list accepts posts from senders whose domain applies DMARC
   policy (`p=reject` or `p=quarantine`) but only implements SPF, not
   DKIM.  (Resending a message through a mailing list will always
   invalidate SPF unless SRS (1) is used, and almost no one bothers
   with SRS.)

2. The list accepts posts from senders whose domain applies DMARC
   policy (`p=reject` or `p=quarantine`), and the list is configured
   to modify messages sent to the list (add a Subject: header tag, add
   a footer, et. al.).  (Modifying messages will invalid the DKIM
   signature.)

When affected senders (either group #1 or group #2) post to the list,
all list subscribers whose MTAs apply/obey DMARC policy will take the
action the sender’s domain’s DMARC policy declares (reject outright,
or quarantine / flag as spam).

Damien, is there any possibility of updating the Mailman
`dmarc_moderation_action` setting (2)?  DMARC isn’t going anywhere;
the big mail providers are either already requiring it to some
degree (3), or have said they will start requiring it soon.

(1) https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme
(2) https://wiki.list.org/DEV/DMARC
(3) https://support.google.com/a/answer/81126


More information about the openssh-unix-dev mailing list