On 27 Apr 2019, at 13:02, Grant Taylor via mailop wrote:
On 4/27/19 3:54 AM, Simon Lyall wrote:
The below message was bounced by everyone (I assume) in the list
whose address is hosted by gmail.
I would be surprised if it was just Gmail.
Date: Wed, 24 Apr 2019 08:44:58 -0600
From: Brielle Bruns <br...@2mbit.com>
Subject: Re: [mailop] The utility of spam folders
It looks like Brielle's message was DKIM signed, modified in transit
(likely by the mailop mailing list),
Yes, because the signature included the Sender and List-* headers,
probably non-existent originally, which mailing lists typically
(including this one) add to messages they relay.
Signing the non-existence of the Sender and List-* headers on messages
sent to mailing lists is a perfect recipe for broken signatures. Whoever
made the signing choices for Brielle's mail made wrong choices.
and subsequently rejected (or otherwise penalized) by DKIM enabled
recipients.
Rejecting mail simply for a broken DKIM signature when the relevant
DMARC record includes p=none is bad practice. It particularly unwise
when, as in this case, the signer has oversigned headers that do not
exist in the message at all. It is certainly within anyone's rights to
reject mail for any whimsical reason they like, but a mail system that
rejects messages for this reason is unfit for general use. It's being
used as a toy.
I expect that such penalizations are going to become more prevalent.
I look forward to the resulting world where people have direct
experience with the ways mail provider quality varies and create actual
competition on more than name recognition and webmail UI cuteness.
Error message similar to this:
SMTP error from remote mail server after end of data:
host aspmx.l.google.com [2a00:1450:400c:c00::1b]:
550-5.7.1 This message does not have authentication
information or fails to pass
550-5.7.1 authentication checks. To best protect our users
from spam, the
550-5.7.1 message has been blocked. Please visit
550-5.7.1
https://support.google.com/mail/answer/81126#authentication for more
550 5.7.1 information. i5si14352580wrp.442 - gsmtp
I'm used to such for SPF / DKIM / DMARC failure.
I'm guessing that it was DKIM signature failure because 2mbit's DMARC
record has a policy of none, thus shouldn't have applied.
Beyond that, any system that understands DMARC should never use DKIM
failure as an absolute rejection criteria if p=none. That's an explicit
statement by the domain owner that it is WRONG to treat a bad DKIM
signatures in their name as basis for rejecting mail. Google is being
intentionally user-hostile here, intentionally and knowingly degrading
their service for their users. I'd call it "stupid" except that I know
they are not this stupid.
The subscriptions of around 160 list-members were suspended. I'll
look at unsuspending them.
I'm sort of surprised that it was only Gmail. Maybe others aren't
being as restrictive and rejecting messages based on DKIM.
Of course not. DKIM is inherently fragile and is easily misused in ways
that make it more fragile. In conjunction with traditional mailing
lists, it is positively dysfunctional.
Or perhaps there's more to Gmail's secret sauce that combined a DKIM
validation failure with other aspects and decided to reject based on
the combined result.
IMHO this does bring up a conversation of if mailing lists that do
modify the message should pass pre-existing DKIM signatures through.
I personally believe that such previous DKIM-Signatures (et al.)
SHOULD be removed OR renamed (prepend something like "X-Old-") to
them.
I agree. That's not sufficient but it is often necessary.
There are really 3 actions that mailing lists need to take if there is
any possibility of them breaking a signature:
1. From headers with domains with p=reject or p=quarantine DMARC records
must be munged by the mailing list, because any signature failure OR
ABSENCE will cause rejection of mail.
2. Existing signatures should be removed or relabeled.
3. If the From is munged, the message should be re-signed by the mailing
list system with whatever domain is used in the munged header.
Note that there are a lot of non-obvious ways a mailing list can break
signatures by doing things that have long been considered acceptable or
even best practices for mailing lists. Even actions which are
theoretically allowable for mail in general such as header refolding or
address format normalization can break signatures.
I know that different mailing lists have taken different stances on
DKIM & DMARC signed posts. Some push back and may unsubscribe the
secured sender. The other end is to be extremely proactive and remove
/ rename problematic headers and generate new counterparts as messages
leave the mailing list. (I fall into the latter camp.)
But, with DMARC having governmental mandates in multiple countries, I
suspect that this is going to become more of a problem. As such, I
think it deserves being discussed. Particularly where along the
aforementioned line the mailop mailing list wants to be.
It is not accidental that some of the drivers of the development of DKIM
and DMARC and "leaders" in aggressive enforcement have been entities
which run their own captive discussion list systems which work best for
users who also have mailboxes under the same provider's umbrella. A
conspiracy theorist might think that Google, Yahoo, and AOL (now one
with Yahoo) wanted to kill off traditional provider-independent
discussion mailing lists.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
