Hi Taavi, It really depends on what you are trying to achieve.
Depending on canalisation and what headers are being signed, there is no guarantee that a sender's DKIM won't be broken by the MLM. SPF alignment is already going to be broken. Also, not every DMARC user, for their own convoluted reasons, DKIM signs their messages. So, there is no guarantee that DMARC (with an enforcing policy) will survive an MLM. Rewriting the 5322.From is the safest option. By always double signing, the MLM builds its own sending reputation. Many message filters already can distinguish mailing list traffic, signing with the list's keypair helps that. A list needs to have its own sending reputation. Depending on the message volume of the list, this may even allow a member with poor sending reputation to have their list posts reach the inbox. Most MLM operators want to give the messages the best possible chance of being delivered to inboxes. Double DKIM signing and rewriting the 5322.From of DMARC enforced messages achieve this goal. The other option is to rewrite every 5322.From address, optionally strip the sender's DKIM, and sign with a MLM keypair. I don't advocate this approach, but it achieves similar at a UX cost for some/many list users. Assuming that senders with DMARC enforcing policies know what they are doing, or even have control over their domain/MTA etc., is a high risk and high maintenance gamble for MLM operators. Unless you are a large mailbox provider, or have an academic interest in it, I wouldn't recommend low-volume senders spend time with ARC until it's fully baked. Ken. > -----Original Message----- > From: mailop <mailop-boun...@mailop.org> On Behalf Of Taavi Eomäe via > mailop > Sent: Wednesday 15 June 2022 10:04 > To: mailop@mailop.org > Subject: Re: [mailop] Best practice for mailing list servers > > Hi, > > just wondering, wouldn't it be significantly better to only modify > headers and double-sign when the original message's DKIM signature > doesn't pass? Absolutely correct me if I'm mistaken, but this would keep > DMARC (if it also exists) valid and detach the mailing lists' reputation > from the message, probably making deliverability better. If the senders > have a proper setup. > > ARC on top of that would be a nice clear indication that it has been > forwarded in some way and DKIM would say it's not lying. The rest of the > letters' senders can be rewritten. > > > Or are SPF (hard)fails too strong of a negative signal in most cases > that these DKIM-signed messages wouldn't be accepted? > > > > > Taavi > > On 14/06/2022 19:51, Ken O'Driscoll via mailop wrote: > > Hi Axel, > > > > I would suggest: > > > > * Make sure that the list's 5321.From (return-path/envelope/MAILFROM) > domain has a valid and restrictive SPF > > * DKIM sign all list messages with your own key > > * Use different DKIM keypairs for each list > > * Don’t modify the originally message body (e.g., adding in a list > footer etc.) > > * If the sender's domain has DMARC with an enforcing policy > (p=quarantine/reject) then rewrite the 5322.From to use the list's > domain > > > > Not modifying the body of the message will give any original DKIM > message signature the best chance of preserving validity. > > > > Signing with your own DKIM key will create an additional reputation > data point for message filters, which will help over time. > > > > DMARC won't survive a MLM, so you have to rewrite the From to give the > message a chance of being received. Your own DKIM signature will still > be valid. > > > > Implementing ARC wouldn't hurt, but don't expect it to magically fix > anything. Your ARC set still needs to be trusted by message filters > which implement ARC and there is no centralised mechanism to facilitate > this yet. Larger providers may use ML to trust particular ARC header > sets but who knows. > > > > I wouldn't suggest that you implement DMARC on your list domain as it > won't help with deliverability and will just cause more issues. It's not > really designed for mailing lists. > > > > Ken. > > > >> -----Original Message----- > >> From: mailop <mailop-boun...@mailop.org> On Behalf Of Axel Rau via > >> mailop > >> Sent: Tuesday 14 June 2022 16:51 > >> To: Paul Vixie via mailop <mailop@mailop.org> > >> Subject: [mailop] Best practice for mailing list servers > >> > >> Hi all, > >> > >> I’m running a mailman3 site with several small mailing lists. > >> > >> Today Google let all mails without DKIM sig bounce. > >> Other ESPs refuse my mails because of brokem DKIM sig. > >> > >> Currently the listserver does not DKIM-sign nor remove DKIM-sigs. > >> > >> It seems, that mails with DKIM-sig (from the author domain, but > broken > >> bei the list server) are accepted by Google. > >> > >> Should I adopt ARC? > >> Along with DMARC? > >> > >> What is best practice in 2022? > >> > >> > >> Any help appreciated, > >> Axel > >> --- > >> PGP-Key: CDE74120 ☀ computing @ chaos claudius > >> > >> _______________________________________________ > >> mailop mailing list > >> mailop@mailop.org > >> https://list.mailop.org/listinfo/mailop > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://list.mailop.org/listinfo/mailop > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
