DKIM signatures from google groups

On Thu, Feb 01, 2024 at 09:10:55PM +0100, Javier Jimenez Shaw wrote:

I attach (only to you) the last email I got from that google group.

There is a single DKIM-Signature from the mailing list (googlegroups.com),
none from the email author (the one in the From).

  DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
          d=googlegroups.com;
          h=list-unsubscribe:list-archive:list-help:list-post:list-id
            :mailing-list:precedence:reply-to:x-original-authentication-results
            :x-original-sender:message-id:mime-version:to:from:importance
            :subject:date:savedfromemail:sender:from:to:cc:subject:date
            :message-id:reply-to;

The "Return-Path" header is set to googlegroups.com so SPF also passes.

This could be another approach. Leaving the From untouched would
allow the GPG signatures to be properly handled by MUA and stripping
the original author's DKIM signature would prevent finding it broken.

Adding a new DKIM signature could make MTAs happier about accepting
the mail for delivery.

I've to say I find it hard to make use of these signatures from a procmail
as following all the indirections is pretty complex.

--strk;

Sandro Santilli <strk@kbt.io> writes:

On Thu, Feb 01, 2024 at 09:10:55PM +0100, Javier Jimenez Shaw wrote:

I attach (only to you) the last email I got from that google group.

There is a single DKIM-Signature from the mailing list (googlegroups.com),
none from the email author (the one in the From).

  DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
          d=googlegroups.com;
          h=list-unsubscribe:list-archive:list-help:list-post:list-id
            :mailing-list:precedence:reply-to:x-original-authentication-results
            :x-original-sender:message-id:mime-version:to:from:importance
            :subject:date:savedfromemail:sender:from:to:cc:subject:date
            :message-id:reply-to;

The "Return-Path" header is set to googlegroups.com so SPF also passes.

I am not following. Are you saying that the author's MTA created a DKIM
signature, and that that googlegroups *removed* it? If so, that's
broken, but I have not had the impression they do this.

This could be another approach. Leaving the From untouched would
allow the GPG signatures to be properly handled by MUA and stripping
the original author's DKIM signature would prevent finding it broken.

It is not ok to drop DKIM signatures. Today all domains should be:

  generate DKIM signatures (that certainly cover From:)
  publish SPF

and we are heading for

  publish a DMARC policy

Dropping an author's DKIM signature will mean that DMARC fails. Plus I
think the DKIM RFCs do frown on that, or would if they had contemplated
it.

Adding a new DKIM signature could make MTAs happier about accepting
the mail for delivery.

It seems normal for a mailinglist processor to add a DKIM signature
which basically authenticates the message as having been emitted from
the list.

I've to say I find it hard to make use of these signatures from a procmail
as following all the indirections is pretty complex.

True, but trying to use procmail seems strange to me. There are
milters for checking, and e.g. spamassassin has rules that assign points
for failing standards.

I don't understand where this is coming from. What is the problem on
the table, given a base assumption of

  mail originated from osgeo.org is DKIM signed

  osgeo mailing lists do not (will not once fixed) modify From, Subject,
  or body

?

On Fri, Feb 02, 2024 at 10:23:34AM -0500, Greg Troxel wrote:

Sandro Santilli <strk@kbt.io> writes:

> On Thu, Feb 01, 2024 at 09:10:55PM +0100, Javier Jimenez Shaw wrote:
>
>> I attach (only to you) the last email I got from that google group.
>
> There is a single DKIM-Signature from the mailing list (googlegroups.com),
> none from the email author (the one in the From).
>
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> d=googlegroups.com;
> h=list-unsubscribe:list-archive:list-help:list-post:list-id
> :mailing-list:precedence:reply-to:x-original-authentication-results
> :x-original-sender:message-id:mime-version:to:from:importance
> :subject:date:savedfromemail:sender:from:to:cc:subject:date
> :message-id:reply-to;
>
> The "Return-Path" header is set to googlegroups.com so SPF also passes.

I am not following. Are you saying that the author's MTA created a DKIM
signature, and that that googlegroups *removed* it? If so, that's
broken, but I have not had the impression they do this.

I didn't get access to the original author's email so don't really
know if the signature was removed or not. All I know is that the
mail I received had a single DKIM-Signature by googlegroups.com.

I don't understand where this is coming from. What is the problem on
the table, given a base assumption of

This is coming from my unanticipated (almost, see [1]) change in mailman
configuration for the osgeo-discuss mailing list having triggered contrary
reactions [2]:

  [1] [OSGeo-Discuss] Mailing list configuration change proposal
  [2] Change in mailing list configuration

And from my observation that changing From also makes it harder for MUAs
to verify GPG signatures:

  [3] [OSGeo-Discuss] Broken GPG signatures (was: Change in mailing list configuration)

Javier observed that google groups do not have broken DKIM signatures
and sent me full header of one mail, which I tried to interpret turning
the mail into a SAC thread to see if anyone would want to change
recommended setup [4] based on the reactions and new findings.

  [4] #3011 (Write recommendation for mailing list configuration regarding DKIM/DMARC/SPF) – OSGeo

--strk;

  Libre GIS consultant/developer
  strk's services

Hi

Javier here

Sandro explained the origin of this email.
After the complains by many people about changing the title, I realized
that the the google group I am member of does change the title of the
emails, adding [prefix], and still has a valid DKIM signature.

I send Sandro one example (as .eml file) so he can understand the headers
used there.

If anybody wants, I can send them personally that email. Or even create a
google group just to analyse it.
Maybe they use a configuration that makes sense.

Recently most of the email I get from osgeo mailing list are displayed as
unsecure, or are directly in the spam folder.

Cheers

On Fri, 2 Feb 2024 at 16:40, Sandro Santilli <strk@kbt.io> wrote:

On Fri, Feb 02, 2024 at 10:23:34AM -0500, Greg Troxel wrote:
> Sandro Santilli <strk@kbt.io> writes:
>
> > On Thu, Feb 01, 2024 at 09:10:55PM +0100, Javier Jimenez Shaw wrote:
> >
> >> I attach (only to you) the last email I got from that google group.
> >
> > There is a single DKIM-Signature from the mailing list (
googlegroups.com),
> > none from the email author (the one in the From).
> >
> > DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
> > d=googlegroups.com;
> >
h=list-unsubscribe:list-archive:list-help:list-post:list-id
> >
:mailing-list:precedence:reply-to:x-original-authentication-results
> >
:x-original-sender:message-id:mime-version:to:from:importance
> >
:subject:date:savedfromemail:sender:from:to:cc:subject:date
> > :message-id:reply-to;
> >
> > The "Return-Path" header is set to googlegroups.com so SPF also
passes.
>
> I am not following. Are you saying that the author's MTA created a DKIM
> signature, and that that googlegroups *removed* it? If so, that's
> broken, but I have not had the impression they do this.

I didn't get access to the original author's email so don't really
know if the signature was removed or not. All I know is that the
mail I received had a single DKIM-Signature by googlegroups.com.

> I don't understand where this is coming from. What is the problem on
> the table, given a base assumption of

This is coming from my unanticipated (almost, see [1]) change in mailman
configuration for the osgeo-discuss mailing list having triggered contrary
reactions [2]:

  [1] [OSGeo-Discuss] Mailing list configuration change proposal
  [2] Change in mailing list configuration

And from my observation that changing From also makes it harder for MUAs
to verify GPG signatures:

  [3] [OSGeo-Discuss] Broken GPG signatures (was: Change in mailing list configuration)

Javier observed that google groups do not have broken DKIM signatures
and sent me full header of one mail, which I tried to interpret turning
the mail into a SAC thread to see if anyone would want to change
recommended setup [4] based on the reactions and new findings.

  [4] #3011 (Write recommendation for mailing list configuration regarding DKIM/DMARC/SPF) – OSGeo

--strk;

  Libre GIS consultant/developer
  strk's services

Sandro Santilli <strk@kbt.io> writes:

This is coming from my unanticipated (almost, see [1]) change in mailman
configuration for the osgeo-discuss mailing list having triggered contrary
reactions [2]:

  [1] [OSGeo-Discuss] Mailing list configuration change proposal
  [2] Change in mailing list configuration

Looking at reactions, it seems like complaints are

  my spam filtering is putting @kbt.io into spam (with *pure
  speculation* that it is about spf/dkim) [and, if someone's spam
  filtering does this, and a human looking at the mail can't say that it
  is spam or spammy, then the filtering is wrong and should be fixed]

  people don't want to make the effort to filter on List-Id instead of
  subject prefixes

  a rant that fixing the list to behave properly (my view) is bad
  because the real issue is $BIGCOMPANY being heavyhanded about email --
  which I find bizarre but perhaps is a reaction to "the old way is
  broken relative to established standards including DKIM/SPF".
  Especially since the real issue seems to be bad imlementations of MUAs
  that don't handle List-Id filtering and display help for users,
  leading to wanting subjects broken for all!

  Remarkably large number of "I'm taking my toys and going home",
  presumably about subject munging, as if not doing subject munging is
  somehow the most important thing.

  reply MUA does not go to the list [but they are wrong to complain;
  with the fixed config it is behaving as the standards document it to
  be, and it was wrong before]

and the big point

  nobody complaining seems to have any understanding of the DKIM
  problem, and nobody seems to care about anything other than "I want a
  subject tag". There's no evidence of balancing of concerns.

It's just not possible to have all of

  valid From: fields
  mail delivery (from users with DMARC policies, or to aggressive receivers)
  modified subject

at the same time. I don't think the people complaining understand that.
It may be that they do and they only care about their filtering, and
don't care about others getting fake From: and others suffering from
"reply" doing the wrong thing. I personally see fake From: and
reply-goes-to-list as very serious.

And from my observation that changing From also makes it harder for MUAs
to verify GPG signatures:

  [3] [OSGeo-Discuss] Broken GPG signatures (was: Change in mailing list configuration)

Indeed. It's just part of "modifying email is bad".

Javier observed that google groups do not have broken DKIM signatures
and sent me full header of one mail, which I tried to interpret turning
the mail into a SAC thread to see if anyone would want to change
recommended setup [4] based on the reactions and new findings.

  [4] #3011 (Write recommendation for mailing list configuration regarding DKIM/DMARC/SPF) – OSGeo

I think that's quite a different situation and shouldn't be conflated.

The primary use of DKIM is for a domain that originates mail, so that
those receiving mail with a From: can look up to see if it was sent, and
treat it at least suspiciously if the signature check fails, and to
outright reject if there is a DMARC policy.

A secondary use of DKIM is for a domain that does mailinglists to sign
mail that was emitted by the list, so that receivers can say "if
googlegroups sent it to me, don't filter to spam", sort of delegating
some spam checking. When a domain does this, and that domain also
modifies headers or body (which they shouldn't), then it can modify
first and then sign. So "google groups have signatures that are not
broken" is simply "they compute their signature after they break their
message".

There is an important point not mentioned. If the osgeo lists are going
to compute/insert a DKIM header saying it was handled by the list, that
really needs to be from a different domain than osgeo.org. It is
reasonable for someone to do

  welcomelist_from_dkim *@osgeo.org

on the theory that any spam emanating from osgeo.org is due to a
compromised account which should be rare and if so addressed
immediately. But that should be separable from the list mail. So if
you do add DKIM from the list, then it would be signed for e.g. the
lists.osgeo.org domain.

Also, in fact there is a standard for handling this sort of thing: ARC

  RFC 8617 - The Authenticated Received Chain (ARC) Protocol

which I don't fully grasp, but it is about a forwarding entity not only
putting on a signature but attesting that they checked in the incoming
signature. I see this happening in the outlook.com world.

So a candidate addition is:

  osgeo mailing lists should be configured, in addition to the above to
  compute and insert a DKIM header for the domain lists.osgeo.org. NB:
  It is critical from a security viewpoint that DKIM signatures added to
  the list not use the osgeo.org domain, as list content is not
  necessarily originated by a person with an osgeo.org email addres.

but I see it as a very minor point.

Javier Jimenez Shaw <j1@jimenezshaw.com> writes:

Recently most of the email I get from osgeo mailing list are displayed as
unsecure, or are directly in the spam folder.

"unsecure" is an unusual word for incoming email.

Some entity is doing filtering. We should look at such messages and
their scoring to see if there is anything actually wrong with the osgeo
handling. It may be that without From: munging that messsages are
arriving from lots of senders, and they didn't use to be, and that
filtering would always have been suspicious of them. But we should look
at the diagnostic output rather than guessing.

I have spamassassin configured to be very aggressive. I have not
noticed postgis list content ending in spam. Just a data point for what
it's worth.

On Fri, Feb 2, 2024 at 6:29 PM Greg Troxel <gdt@lexort.com> wrote:

Javier Jimenez Shaw <j1@jimenezshaw.com> writes:

> Recently most of the email I get from osgeo mailing list are displayed as
> unsecure, or are directly in the spam folder.

"unsecure" is an unusual word for incoming email.

FWIW, I get lots of OSGeo list emails and none go into spam.

On Sat, Feb 3, 2024 at 12:19 AM Markus Neteler <neteler@osgeo.org> wrote:

On Fri, Feb 2, 2024 at 6:29 PM Greg Troxel <gdt@lexort.com> wrote:
> Javier Jimenez Shaw <j1@jimenezshaw.com> writes:
>
> > Recently most of the email I get from osgeo mailing list are displayed as
> > unsecure, or are directly in the spam folder.
>
> "unsecure" is an unusual word for incoming email.

FWIW, I get lots of OSGeo list emails and none go into spam.

I forgot to mention that neteler@osgeo.org is an alias to my Gmail account.

Markus

On Sat, 3 Feb 2024 at 00:19, Markus Neteler <neteler@osgeo.org> wrote:

On Fri, Feb 2, 2024 at 6:29 PM Greg Troxel <gdt@lexort.com> wrote:
> Javier Jimenez Shaw <j1@jimenezshaw.com> writes:
>
> > Recently most of the email I get from osgeo mailing list are displayed
as
> > unsecure, or are directly in the spam folder.
>
> "unsecure" is an unusual word for incoming email.

FWIW, I get lots of OSGeo list emails and none go into spam.

Lucky you. the last week most of the emails had a banner saying that it
couldn't certify the author, with two buttons "resport spam" , "looks
safe". (sorry, I exchanged in my mind safe and secure).
In addition, some of them where directly in the spam folder, like the first
from Greg from this thread. Also one from Even Rouault was in the spam
folder.
(My email goes also to Gmail, as you could imagine)

Talking with my domain hoster, they showed me this link. It can be useful:

(See that by default is telling about "osgeo.org", regardless the url. You
have to "click here")
These results are for *osgeo.org <http://osgeo.org>*. Did you really mean
to run *lists.osgeo.org <http://lists.osgeo.org>*? Click Here
<Error - MxToolBox;

It finds 2 errors (in "dns" and "spf"), and 3 warnings (in "dmarc", "mx",
"smtp")

On Sun, 4 Feb 2024 at 09:22, Javier Jimenez Shaw <j1@jimenezshaw.com> wrote:

On Sat, 3 Feb 2024 at 00:19, Markus Neteler <neteler@osgeo.org> wrote:

On Fri, Feb 2, 2024 at 6:29 PM Greg Troxel <gdt@lexort.com> wrote:
> Javier Jimenez Shaw <j1@jimenezshaw.com> writes:
>
> > Recently most of the email I get from osgeo mailing list are
displayed as
> > unsecure, or are directly in the spam folder.
>
> "unsecure" is an unusual word for incoming email.

FWIW, I get lots of OSGeo list emails and none go into spam.

Lucky you. the last week most of the emails had a banner saying that it
couldn't certify the author, with two buttons "resport spam" , "looks
safe". (sorry, I exchanged in my mind safe and secure).
In addition, some of them where directly in the spam folder, like the
first from Greg from this thread. Also one from Even Rouault was in the
spam folder.
(My email goes also to Gmail, as you could imagine)