OT: DKIM signatures on email messages from lists.gnupg.org
Alexander Leidinger
Alexander at leidinger.net
Mon Jun 12 13:05:51 CEST 2023
Quoting Alessandro Vesely via Gnupg-users <gnupg-users at gnupg.org>
(from Mon, 12 Jun 2023 10:57:32 +0200):
> Hi,
>
> would someone please explain DKIM settings of lists.gnupg.org?
I'm not involved in gnupg.org administration, but it looks like there
are none.
> Looking at recent posts, I counted 44 with a failed signature by
> d=gnupg.org, 22 with no DKIM signature at all and none with a good
> signature.
Can it be that those 44 are from real people which have a from-address
@gnupg.org?
> I'm asking because there was a proposal to eliminate SPF from DMARC
> authentication methods[*]. Opposers to such move note that in a
> number of cases SPF succeeds where DKIM fails. The discussion
> concluded that it must be because of misconfiguration, since most
> in-transit alterations were eliminated. As people on this list is
> certainly acknowledgeable, I though I'd dare asking where does such
> misconfiguration stem from.
Your mail to the list had a DKIM signature from tana.it (your DKIM
signature). It specifies that in the header the date, to, from and
subject lines are subject to validation. The From was re-written be
the list and as such the header check fails. The body check fails as
the list adds the following:
---snip---
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
---snip---
What the list-software would need to do is to strip the original DKIM
signature (and maybe sign itself, but there are drawbacks), or to not
modify the message (at least not the designated header lines, and the
body). More info here:
https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html
For mailman there is some info here what could/should be done:
https://wiki.list.org/DEV/DKIM
https://wiki.list.org/DEV/DMARC
For listserv there is some info here what could/should be done:
https://www.lsoft.com/manuals/17.0/advancedtopics/Section12UsingDomainKeysIdentifi.html
https://www.lsoft.com/manuals/17.0/advancedtopics/Section13DMARCandLISTSERV.html
There is also ARC (which you should see in the headers of my mail):
https://en.wikipedia.org/wiki/Authenticated_Received_Chain
Bye,
Alexander.
--
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild at FreeBSD.org : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230612/bcc2a0ca/attachment.sig>
More information about the Gnupg-users
mailing list