Hacker News new | past | comments | ask | show | jobs | submit login

Whenever I send mail to a Debian mailing list, I receive notifications of DKIM policy violations. I've never figured out whether the problem is on my side or theirs...

[edit] having done a bit more research, I think the problem lies with the BTS: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754809




The mailing list probably appends a footer that breaks the DKIM signature. This has been a known issue for basically all mailing lists for quite some time.


Isn't that easily solved by rewriting the From header and re-signing the email? Send it from:

Some List on behalf of John Sender <list@example.com>

... instead of ...

John Sender <john@other-example.com>

And now the list software can generate its own (valid) DKIM signature.

EDIT: Nevermind, listen to dbqpdb[0] instead. ARC sounds like a better way to go.

[0] https://news.ycombinator.com/item?id=21420732#21422328


But you are right. This is what lists have been doing. They may also set the X-Original-From or X-Original-Sender headers. Google Groups does it anyway. ARC will be better than that though, of course.


It's almost certainly not your problem. DKIM is a cryptographic signature of various parts of the email, which is very commonly broken in all sorts of legitimate ways by mailing lists. This has been a known failing of DKIM & DMARC for quite some time.

However the issue is fixed by the new ARC protocol though, which is supported by most major email providers & in most mailing list software as of like this year. Theoretically, just a matter of time until they update their software & the issue is resolved.



Yes.


Take a look at http://arc-spec.org/ that fixes this


how do you send emails ?


via Exim. I think the problem is not in my setup, as I only receive the notifications after I send mail to the BTS or to a mailing list, but since I have p=none in my DMARC record I haven't put much effort into figuring out exactly where the problem is.


In Gmail open an email you have received. At right upper site there is a button. From there click "show source". The headers will have:

SPF: passed or failed

DKIM: passed or failed

DMARC: passed or failed


I don't use gmail. Regardless, the notifications aren't emails. I have configured my DMARC record to request that policy violations are reported to Postmark and every few weeks I get an email from them summarizing the reports they have received.

There are basically 0 violations, until I mail the Debian BTS or a mailing list, whereupon there are dozens. So it could be a problem at my end, Debian's end, or maybe downstream of Debian (e.g., if mail for foo@debian.org is forwarded on to someone else who has a misconfigured email setup...)

Regardless, my DMARC record has p=none so these reports are informational only. On the other hand, it's basically the reason I've never gotten around to changing it to p=reject...


If you have your DMARC set up right, anyone else who tries to send email using your domain as the "from" address will trigger a DMARC violation. It may be that having your address on a public mailing list triggers spammers to try using your domain.


Many mailing list software returns header information (including, most importantly, From header) while making some modifications to the message (e.g., adding a footer or prepending some text to the Subject header).

A lot of owners reconfigured said software to rewrite the From header since Yahoo changed their DMARC policy to a hard fail and broke quite a lot of mailing lists in doing so, as the resulting backscatter caused the software to unsubscribe people from the mailing list when delivery failed if someone sent a message from their Yahoo account.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: