OT: DKIM signatures on email messages from lists.gnupg.org

Steffen Nurpmeso steffen at sdaoden.eu
Mon Jun 12 21:54:45 CEST 2023 

Konstantin Ryabitsev wrote in
 <20230612-landline-jawless-f2c113 at meerkat>:
 |On Mon, Jun 12, 2023 at 06:45:37PM +0200, Alessandro Vesely via Gnupg-us\
 |ers wrote:
 |>> What the list-software would need to do is to strip the original \
 |>> DKIM signature
 |> 
 |> Why?  Original signatures can often be recovered.  They shouldn't \
 |> be removed
 |> anyway.
 |
 |If list-software is doing something to make the DKIM signature no longer
 |verify, it must remove the DKIM signature or rewrite the From: header to
 |change alignment.

My Mailman2 has "REMOVE_DKIM_HEADERS = 2".
(But this will change, somewhen.)

 |>> or to not modify the message (at least not the designated header lines,
 |>> and the body). More info here:
 |> 
 |> 
 |> Omitting subject tag and footer seems to me to be worse than From: \
 |> munging.
 |
 |No it isn't. Changing the subject and adding the footer is a damaging
 |anti-pattern from mid-nineties. If the end-user wants to filter mail, \
 |they can
 |do it based on the List-Id header or any other criteria. Lists that \
 |still do
 |this in 2023 need to be updated to no longer do this.

That is your own biased thing to which i am totally opposed to.
The traditional email way uses a single INBOX and dispatches
non-deleted things from there (also automatically).  I am happy
that many lists i am on continue to use that subject tagging, or
reintroduced it, because i get a human-compatible overview with
a single glance (already thread-sorted) when i look into my INBOX.
This includes IETF lists, tuhs and coff, 9fans, oss-sec and many
more.
(Having said that lists i read like those from NetBSD never did
anything such, and did not need to change anything to work in
today's email world.)

 |> I'd definitely recommend ARC, not the conceptual Mailman 3 version.
 |> However, most receivers are not yet prepared to accept it.
 |
 |ARC is just adding more things to the chain that you must explicitly trust.
 |It's basically an assurance from the remailer that "oh, btw, I checked this
 |message and its DKIM was good, trust me." It's useful for the huge mail
 |providers like Yahoo/Gmail/Outlook, but standing up your own ARC-signing
 |infrastructure is largely just wasting cycles.

If you do DKIM then ARC does make sense.  (I am a bit away from
the standards though.)  SPF/DKIM/ARC are maybe a thing, especially
when being holistic; dmarc destroyed email (not), it should imho
be boycotted.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
|~~
|..and in spring, hear David Leonard sing..
|
|The black bear,          The black bear,
|blithely holds his own   holds himself at leisure
|beating it, up and down  tossing over his ups and downs with pleasure
|~~
|Farewell, dear collar bear

More information about the Gnupg-users mailing list