[Linux-aus] DKIM and DMARC

Russell Coker russell at coker.com.au
Wed Jan 4 19:53:31 AEDT 2017 

On Wednesday, 4 January 2017 8:46:52 PM AEDT Simon Lyall wrote:
> Everybody.
> 
> It appears the below email proporting to come from Russell Coker is fake.
> It fails DKIM authentication and according to coker.com.au's published
> DMARC records any email pretending to come from him that fails this lookup
> must be rejected.
> 
> :-)
> 
> Okay, to be serious the only real solution if we want people who are using
> DMARC to be able to participate in mailing lists is to re-write to From
> address of emails containing it.

To be serious the best thing to do is to setup DKIM on the list server and 
sign all mail from it so that everyone knows that there is no MITM attack 
between the list server and their mail server.  The list server can verify 
DKIM signatures before stripping them and adding it's own to the outbound 
mail.  Then list users will then know that there's no MITM attack between the 
origin server (for mail coming from samba.org, coker.com.au, gmail.com, 
yahoo.com, etc) and the list server and there's no MITM attack between the 
list server and a DKIM enabled recipient server (gmail etc).

Such a change will mean that any Gmail user who receives list mail from 
another Gmail user will know that any modification of the mail could only 
happen at the list server.

The lack of DMARC compliance in the list server doesn't stop me participating, 
it merely means that some providers will reject my mail, and if enough of my 
mail is rejected then people will be unsubscribed.  This is why I requested 
that the bounce limit be increased while this matter is being discussed.

> It looks ugly but when they explicitly tell me "Drop any emails from my
> domain that are not properly signed" and large providers like google and
> yahoo will there are not a lot of good choices.

Well I used to not have DMARC enabled, I used ADSP which is checked by a 
different subset of recipients (and apparently doesn't cause issues on this 
list).  But it was the LCA list configuration change that you advocated that 
forced me to use DMARC again.

> On Wed, 4 Jan 2017, "Fake" Russell Coker wrote:
> > https://dmarc.org/
> > 
> > The configuration of the LCA chat list now forces everyone who uses DKIM
> > to
> > also use DMARC, see the above page for information on DMARC.
> > 
> > As there is a significant overlap between the membership of the LCA chat
> > list we now need this list to work with people who use DMARC.
> > 
> > Some time ago I turned off DMARC on my domain due to problems with this
> > list (some MTAs rejected enough mail from me to cause their users to get
> > unsubscribed).  Now that I have been forced to enable DMARC and other
> > members of this list are forced to do the same we need to make this list
> > work with DMARC.
> > 
> > I suggest that the first step is to increase the number of bounces needed
> > to unsubscribe a member from the list.  Then we have a little more time
> > to experiment with mailman settings.
> > 
> > 
> > _______________________________________________
> > linux-aus mailing list
> > linux-aus at lists.linux.org.au
> > http://lists.linux.org.au/mailman/listinfo/linux-aus


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the linux-aus mailing list