DKIM test

strk · July 10, 2025, 7:17pm

This message is sent to sac@lists.osgeo.org to check how Mailman
and OpenDKIM behave, as after a couple of weeks we was an increase
of bounces from Gmail which may (or may not) be related.

--strk;

strk · July 10, 2025, 8:30pm

On Thu, Jul 10, 2025 at 04:08:22PM -0400, Regina Obe wrote:

Replying without cc'ing you.

Ok it looks like Mailman will ONLY rewrite the From IFF a DMARC
policy is found for the sender domain. Mine has a policy of "reject":

dig -t TXT _dmarc.kbt.io

Yours doesn't have any:

dig -t TXT _dmarc.pcorp.us

For this reason Mailman does not strip your From and DKIM signature
while does it for my messages, which are then signed by OSGeo itself.

In any case the DKIM signature on your mail was valid when it arrived
to me. But on an older message it was not, and I cannot see why:

Message-ID: <000401dbef45$14943240$3dbc96c0$@pcorp.us>
Authentication-Results: hst.kbt.io; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=pcorp.us header.i=@pcorp.us header.a=rsa-sha256 header.s=google header.b=pgllgDSW; dkim-atps=neutral

--strk;

Libre GIS consultant/developer
strk's services

robe · July 10, 2025, 8:08pm

Could you try replying again but this time w/out adding me in Cc ?

This one I'm sending with the list in Cc instead of in To ?

--strk;

On Thu, Jul 10, 2025 at 03:41:01PM -0400, Regina Obe wrote:
> Got it.
>

Replying without cc'ing you.

robe · July 10, 2025, 7:41pm

Got it.

-----Original Message-----
From: Sandro Santilli via Sac <sac@lists.osgeo.org>
Sent: Thursday, July 10, 2025 3:17 PM
To: sac@lists.osgeo.org
Subject: DKIM test

This message is sent to sac@lists.osgeo.org to check how Mailman and
OpenDKIM behave, as after a couple of weeks we was an increase of bounces
from Gmail which may (or may not) be related.

--strk;

strk · July 10, 2025, 7:56pm

I don't understand why your message arrived to me (via osgeo)
with the origina From header, while mine was munged.
Do you see that ?

Could you try replying again but this time w/out adding me in Cc ?

This one I'm sending with the list in Cc instead of in To ?

--strk;

On Thu, Jul 10, 2025 at 03:41:01PM -0400, Regina Obe wrote:

Got it.

> -----Original Message-----
> From: Sandro Santilli via Sac <sac@lists.osgeo.org>
> Sent: Thursday, July 10, 2025 3:17 PM
> To: sac@lists.osgeo.org
> Subject: DKIM test
>
> This message is sent to sac@lists.osgeo.org to check how Mailman and
> OpenDKIM behave, as after a couple of weeks we was an increase of bounces
> from Gmail which may (or may not) be related.
>
> --strk;

gdt · July 10, 2025, 11:47pm

Sandro Santilli via Sac <sac@lists.osgeo.org> writes:

Ok it looks like Mailman will ONLY rewrite the From IFF a DMARC
policy is found for the sender domain. Mine has a policy of "reject":

dig -t TXT _dmarc.kbt.io

Yours doesn't have any:

dig -t TXT _dmarc.pcorp.us

For this reason Mailman does not strip your From and DKIM signature
while does it for my messages, which are then signed by OSGeo itself.

I say this is a bug in mailman. The proper configuration is not to
munge the subject or the body, and it seems this list is set up that
way. My MTA gave a DKIM pass to Regina's mail as received from the list
(as signed by pcorp.us).

The from munging should only happen when a list is (mis-)configured to
munge bodies. But perhaps it is a separate setting and just needs
adjusting.

In any case the DKIM signature on your mail was valid when it arrived
to me. But on an older message it was not, and I cannot see why:

Message-ID: <000401dbef45$14943240$3dbc96c0$@pcorp.us>
Authentication-Results: hst.kbt.io; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=pcorp.us header.i=@pcorp.us header.a=rsa-sha256 header.s=google header.b=pgllgDSW; dkim-atps=neutral

I see semi-random failures for DKIM sigs to validate from time to time.

gdt · July 10, 2025, 11:58pm

My own message failed DKIM when it arrived back. Luckily I had the bits
that went out and could diff them. Multiple interesting things:

- multiline headers (e.g. References) have modified continuation line
indentation (plus my local X-Draft-From which was likely not sent):

         References: <aHARwLYKZsegk4OA@oli> <000201dbf1d2$91a4bb80$b4ee3280$@pcorp.us>
        - <aHAa5Zkb9iA4Q7Sb@oli> <000601dbf1d6$63b9d4e0$2b2d7ea0$@pcorp.us>
        - <aHAi5-_3NzTD_7Xi@oli>
        -X-Draft-From: ("nnimap+work.lexort.com:lists.osgeo" 1920)
        + <aHAa5Zkb9iA4Q7Sb@oli> <000601dbf1d6$63b9d4e0$2b2d7ea0$@pcorp.us>
        + <aHAi5-_3NzTD_7Xi@oli>

   - extra newline
     The received message had a spurious trailing newline; my message
     had one newline at the end of 'time to time.' The received message
     had two newlines

- missing CC: in received copy (and also shows a second continuation
line indent change)

         From: Greg Troxel <gdt@lexort.com>
         To: Sandro Santilli via Sac <sac@lists.osgeo.org>
        -Cc: Regina Obe <lr@pcorp.us>
         Subject: Re: DKIM test
         In-Reply-To: <aHAi5-_3NzTD_7Xi@oli> (Sandro Santilli via Sac's message of
        - "Thu, 10 Jul 2025 22:30:31 +0200")
        + "Thu, 10 Jul 2025 22:30:31 +0200")

but note that my DKIM signature includes cc

so DKIM failures could be caused by any of this. perhaps blank lines
don't count, and whitespace is canonicalized. But it could explain
how using cc results in a failure.

It's hard to believe we're the only ones trying to make mailman work.

strk · July 14, 2025, 9:51am

On Thu, Jul 10, 2025 at 07:58:43PM -0400, Greg Troxel wrote:

It's hard to believe we're the only ones trying to make mailman work.

I see many DKIM failures in fsfe mailing list too.
I think at the moment the only way to be predictable would be to
rewrite the outgoing mails (munge or wrap).

--strk;

Libre GIS consultant/developer
strk's services

gdt · July 14, 2025, 11:24am

Sandro Santilli <strk@kbt.io> writes:

On Thu, Jul 10, 2025 at 07:58:43PM -0400, Greg Troxel wrote:

It's hard to believe we're the only ones trying to make mailman work.

I see many DKIM failures in fsfe mailing list too.
I think at the moment the only way to be predictable would be to
rewrite the outgoing mails (munge or wrap).

Maybe, but my guess is that mailman is incorrectly removing CC: and
that's most of it.

If this message passes DKIM, then that's probably it.

strk · August 12, 2025, 9:43am

On Mon, Jul 14, 2025 at 07:24:07AM -0400, Greg Troxel wrote:

Sandro Santilli <strk@kbt.io> writes:

> On Thu, Jul 10, 2025 at 07:58:43PM -0400, Greg Troxel wrote:
>> It's hard to believe we're the only ones trying to make mailman work.
>
> I see many DKIM failures in fsfe mailing list too.
> I think at the moment the only way to be predictable would be to
> rewrite the outgoing mails (munge or wrap).

Maybe, but my guess is that mailman is incorrectly removing CC: and
that's most of it.

If this message passes DKIM, then that's probably it.

Your message passed DKIM, I'm sending mine with you in the To field
and the list in the Cc field, let's see...

--strk;

Libre GIS consultant/developer
strk's services