[Linux-aus] DKIM and DMARC
Russell Coker
russell at coker.com.au
Wed Jan 4 19:53:31 AEDT 2017
On Wednesday, 4 January 2017 8:46:52 PM AEDT Simon Lyall wrote:
> Everybody.
>
> It appears the below email proporting to come from Russell Coker is fake.
> It fails DKIM authentication and according to coker.com.au's published
> DMARC records any email pretending to come from him that fails this lookup
> must be rejected.
>
> :-)
>
> Okay, to be serious the only real solution if we want people who are using
> DMARC to be able to participate in mailing lists is to re-write to From
> address of emails containing it.
To be serious the best thing to do is to setup DKIM on the list server and
sign all mail from it so that everyone knows that there is no MITM attack
between the list server and their mail server. The list server can verify
DKIM signatures before stripping them and adding it's own to the outbound
mail. Then list users will then know that there's no MITM attack between the
origin server (for mail coming from samba.org, coker.com.au, gmail.com,
yahoo.com, etc) and the list server and there's no MITM attack between the
list server and a DKIM enabled recipient server (gmail etc).
Such a change will mean that any Gmail user who receives list mail from
another Gmail user will know that any modification of the mail could only
happen at the list server.
The lack of DMARC compliance in the list server doesn't stop me participating,
it merely means that some providers will reject my mail, and if enough of my
mail is rejected then people will be unsubscribed. This is why I requested
that the bounce limit be increased while this matter is being discussed.
> It looks ugly but when they explicitly tell me "Drop any emails from my
> domain that are not properly signed" and large providers like google and
> yahoo will there are not a lot of good choices.
Well I used to not have DMARC enabled, I used ADSP which is checked by a
different subset of recipients (and apparently doesn't cause issues on this
list). But it was the LCA list configuration change that you advocated that
forced me to use DMARC again.
> On Wed, 4 Jan 2017, "Fake" Russell Coker wrote:
> > https://dmarc.org/
> >
> > The configuration of the LCA chat list now forces everyone who uses DKIM
> > to
> > also use DMARC, see the above page for information on DMARC.
> >
> > As there is a significant overlap between the membership of the LCA chat
> > list we now need this list to work with people who use DMARC.
> >
> > Some time ago I turned off DMARC on my domain due to problems with this
> > list (some MTAs rejected enough mail from me to cause their users to get
> > unsubscribed). Now that I have been forced to enable DMARC and other
> > members of this list are forced to do the same we need to make this list
> > work with DMARC.
> >
> > I suggest that the first step is to increase the number of bounces needed
> > to unsubscribe a member from the list. Then we have a little more time
> > to experiment with mailman settings.
> >
> >
> > _______________________________________________
> > linux-aus mailing list
> > linux-aus at lists.linux.org.au
> > http://lists.linux.org.au/mailman/listinfo/linux-aus
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the linux-aus
mailing list