OT: DKIM signatures on email messages from lists.gnupg.org

Alessandro Vesely vesely at tana.it
Mon Jun 12 18:45:37 CEST 2023

On Mon 12/Jun/2023 13:05:51 +0200 Alexander Leidinger via Gnupg-users wrote:
> Quoting Alessandro Vesely via Gnupg-users <gnupg-users at gnupg.org> (from Mon, 12 Jun 2023 10:57:32 +0200):
>> Hi,
>> would someone please explain DKIM settings of lists.gnupg.org?
> I'm not involved in gnupg.org administration, but it looks like there are none.

Sometimes there is a signature.  The Announce message of April 28 had two:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org;
  bh=AaifcSnTnefRUURuPlCYtVlF0on0neCAn9vyAWrccMA=; b=GZor1crbzgMYZ0XztsHrHN0w3P

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnupg.org;
  bh=waITwZnkLncVwES3fe/pbC3rS8gp+dpge17NQpRHvMU=; b=U9warAJAiKlE0f9mSRe61yIzqa

There were a number of Received: by/from kerckhoffs.g10code.com in between, as 
if the message was sent back and forth to a signer.  Most likely some header 
fields are changed during the transaction.

>> Looking at recent posts, I counted 44 with a failed signature by d=gnupg.org, 
>> 22 with no DKIM signature at all and none with a good signature.
> Can it be that those 44 are from real people which have a from-address @gnupg.org?

I only counted d=gnupg.org.

>> I'm asking because there was a proposal to eliminate SPF from DMARC 
>> authentication methods[*].  Opposers to such move note that in a number of 
>> cases SPF succeeds where DKIM fails.  The discussion concluded that it must 
>> be because of misconfiguration, since most in-transit alterations were 
>> eliminated.  As people on this list is certainly acknowledgeable,  I though 
>> I'd dare asking where does such misconfiguration stem from.
> Your mail to the list had a DKIM signature from tana.it (your DKIM signature). 
> It specifies that in the header the date, to, from and subject lines are 
> subject to validation.

Those lines are enough to uniquely identify a message.  Signing more fields 
only makes the signature more fragile.  It is not enough to prevent crackerjack 
re-playing in any case.

> The From was re-written be the list and as such the 
> header check fails. The body check fails as the list adds the following:
> ---snip---
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users
> ---snip---

The message verifies after removing the footer.  It can be done routinely, on 
some kind of signatures.

> What the list-software would need to do is to strip the original DKIM signature

Why?  Original signatures can often be recovered.  They shouldn't be removed 

> (and maybe sign itself, but there are drawbacks),

What drawback can there be to signing?  CPU resource consumption?

> or to not modify the message 
> (at least not the designated header lines, and the body). More info here:
>      https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html

Omitting subject tag and footer seems to me to be worse than From: munging.

See also this:

> For mailman there is some info here what could/should be done:
>      https://wiki.list.org/DEV/DKIM
>      https://wiki.list.org/DEV/DMARC
> For listserv there is some info here what could/should be done:
> https://www.lsoft.com/manuals/17.0/advancedtopics/Section12UsingDomainKeysIdentifi.html
> https://www.lsoft.com/manuals/17.0/advancedtopics/Section13DMARCandLISTSERV.html
> There is also ARC (which you should see in the headers of my mail):
>      https://en.wikipedia.org/wiki/Authenticated_Received_Chain

I'd definitely recommend ARC, not the conceptual Mailman 3 version.  However, 
most receivers are not yet prepared to accept it.


More information about the Gnupg-users mailing list