[Linux-aus] PSA: Messages sent through LA mailing lists being classified as SPAM

Thu Jan 14 23:50:51 AEDT 2016

On Thu, 14 Jan 2016 11:05:27 PM Joel W. Shea wrote:
> > The biggest problem at the moment is that Mailman rewrote the DKIM
> > signature header to use spaces instead of tabs.  While it seems to be
> > standards compliant to rewrite headers like that both OpenDKIM and
> > libmail-dkim-perl will report such messages as invalid.
> 
> Except that this particular message was signed with "c=relaxed/relaxed",
> so should still validate with spaces, otherwise you're right, since many
> leave the default "c=simple/simple"

http://www.gettingemaildelivered.com/dkim-explained-how-to-set-up-and-use-
domainkeys-identified-mail-effectively

For the benefit of others the above URL explains these things.

My tests indicate that setting relaxed/simple is enough.  To get that put one 
of the following lines in /etc/opendkim.conf:

Canonicalization relaxed
Canonicalization relaxed/simple

> > If we wanted the list to pass messages with valid DKIM signatures then
> > here is what needs to be done:
> > 
> > 1)  Turn off Subject munging.
> > 2)  Turn off the list footer.
> 
> Agreed.
> 
> > 3)  Make Mailman not munge the DKIM header - or install a milter that
> > reverses such munging (which is quite trivial in terms of message
> > editing).
> 
> Alternatively, make Mailman reject the message with a DMARC failure
> report, and hope that the sender signs with "c=relaxed/simple" to allow
> whitespace variation in the header in future.

I don't think that there is any feature of Mailman to do this and I don't 
think it would be desirable to do so.  But making mailman not munge the 
headers would be a good feature to have.

> > But it's much easier to just change the From: header to the list address.
> 
> Perhaps, since even if DKIM signature verifies, DMARC will still fail
> domain alignment on SPF?

It seems that there is no option other than changing the From header.

> > It's expected that when you add new anti-spam features that there will be
> > some false positives.  But everyone else will just deal with it
> > eventually, and that includes list servers configuration being changed
> > to work with it.
> 
> Hence the recommendation to set DMARC to p=none at first, then
> q=quarantine; pct=1; then gradually increase pct, this gives the sender
> an opportunity to adjust their policy to accommodate for the most common
> false positive failures.

Well we know that the Linux Australia lists are one source of false positives.  
We just need to get that fixed.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/