Quoting Alessandro Vesely via Gnupg-users <gnupg-users@gnupg.org> (from Mon, 12 Jun 2023 10:57:32 +0200):

Hi,

would someone please explain DKIM settings of lists.gnupg.org?

I'm not involved in gnupg.org administration, but it looks like there are none.

Looking at recent posts, I counted 44 with a failed signature by d=gnupg.org, 22 with no DKIM signature at all and none with a good signature.

Can it be that those 44 are from real people which have a from-address @gnupg.org?

I'm asking because there was a proposal to eliminate SPF from DMARC authentication methods[*]. Opposers to such move note that in a number of cases SPF succeeds where DKIM fails. The discussion concluded that it must be because of misconfiguration, since most in-transit alterations were eliminated. As people on this list is certainly acknowledgeable, I though I'd dare asking where does such misconfiguration stem from.

Your mail to the list had a DKIM signature from tana.it (your DKIM signature). It specifies that in the header the date, to, from and subject lines are subject to validation. The From was re-written be the list and as such the header check fails. The body check fails as the list adds the following:

---snip---
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
---snip---

What the list-software would need to do is to strip the original DKIM signature (and maybe sign itself, but there are drawbacks), or to not modify the message (at least not the designated header lines, and the body). More info here:
    https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html

For mailman there is some info here what could/should be done:
    https://wiki.list.org/DEV/DKIM
    https://wiki.list.org/DEV/DMARC

For listserv there is some info here what could/should be done:
https://www.lsoft.com/manuals/17.0/advancedtopics/Section12UsingDomainKeysIdentifi.html https://www.lsoft.com/manuals/17.0/advancedtopics/Section13DMARCandLISTSERV.html

There is also ARC (which you should see in the headers of my mail):
    https://en.wikipedia.org/wiki/Authenticated_Received_Chain

Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netch...@freebsd.org  : PGP 0x8F31830F9F2772BF

Attachment: pgpY9DJ6zSW2U.pgp
Description: Digitale PGP-Signatur

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to