On 6/30/21 4:37 PM, Thomas Gramstad wrote:
I understand that he can't do anything about the DKIM setup at gmail.
Nor should he, or anyone else, need to.
Can I as list admin do something in the list setup (Mailman 2.29)?
As others have said, remove incoming DKIM headers from incoming messages, and add your own DKIM headers (signature) to outgoing messages.
This is particularly important if you make /any/ changes to the message as it passes through the mailing list.
Also, how many subscribers are likely affected by his (or any gmail user's) DKIM setup?
It depends on how the sender's domain has configured things; SPF, DKIM, DMARC. Chances are quite good that any sender from a domain using contemporary stringent settings will have problems with any recipient who has a mail server that honors what the sending domain publishes. You have zero control over what the sender's domain does. You have zero control over what the recipient's mail server does. You only have control of what you do with the mailing list.
That is, are most list subscribers receiving his messages anyway, or is
this problem preventing e-mail from him going to most list subscribers?
I'd say the best that you can hope for is for messages from the mailing list to be filed as spam. The worst, which may be more likely, is that the mailing list server develops a bad reputation and ends up blocked by one or more recipient domains.
More sending domains are adopting stringent settings. More receiving servers are honoring stringent settings. It's a multiplicative effect as time goes on. You can either push back or you can update your config. With the multiplicative effect, you will probably need to push back more often.
Stop and think for a moment what's actually happening:1) The sender's mail server is specifying which server(s) are allowed to send email as them and / or apply a cryptographic signature to (part of) the message. They also publish this information so that receiving systems can easily consume it. 2) Receiving systems are using the information that senders publish to be able to tell if message are legitimate based on the source and / or cryptographic signature.
So, when you (re)send messages from the mailing list as sending domain (in the SMTP envelope) you are likely running afoul of SPF. When you modify any (signed) part of the message, you are breaking signatures. Thus, recipients see that messages aren't coming from where the sender says they should be and that the cryptographic signature is broken. Hence the receiving server is naturally treating the message from the mailing list as highly suspicious.
To avoid this suspicion: 1) Send with your own SMTP envelope address (VERP). 2) Use full personalization. 3) Remove incoming DKIM signatures. 4) Add your own outgoing DKIM signature. I'd suggest updating your config sooner than later. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/
