On 4/19/19 10:04 PM, Peter wrote: > On 19/04/19 11:16 PM, Nick wrote: >> You might want to consider reducing the list of headers in your DKIM >> signatures. E.g. your signed-headers list includes 'sender' but the >> mailing list adds its own 'sender', which is enough to invalidate your >> signature. > > This is going to be an ongoing problem because RFC6376 actually > recommends including the Sender header: > > From 5.4 INFORMATIVE OPERATIONS NOTE: > > "For this reason, signing fields present in the message such as Date, > Subject, Reply-To, *Sender*, and all MIME header fields are highly > advised." (emphasis mine) > If you look at the background behind DKIM, one of the major impetuses was protecting transactional emails, and protection from attacks like phishing. For these sorts of emails, that stricter protection makes sense. These sorts of emails also aren't sent through mailing lists.
Effectively, if you decide to use DKIM to protect your domain's outgoing email, then you really need to tell your users about the issue with mailing lists, as the choice to use DKIM basically says that most mailing list should be off limits to your users, as it is very common for mailing lists to break the DKIM signature, so it really is YOUR problem to adjust your DKIM settings and Authorized Usage Policy to make your system work for your users. I have to regularly tell users of a mailing list that I run that the reason the list removes their email address out of the From: field is that they are using a broken email system that isn't compatible with the use of mailing list. Note also, these RFCs are just Standards Track, which says that they are not yet 'full standards' but still evolving, and I believe that one of the issues that needs to be worked out is to figure out how to improve their interoperability for general emails with traditional mailing lists. -- Richard Damon
