[Linux-aus] PSA: Messages sent through LA mailing lists being classified as SPAM

[Russell Coker]

On Thu, 14 Jan 2016 08:19:43 PM Joel W. Shea wrote:
> >   dkim=neutral (body hash did not verify) header.i=@samba.org;
> >   dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=samba.org
> > 
> > [...]
> 
> but fails DMARC, because;
> 
> a) DKIM authentication fails, as the body hash verification fails (since
> the mailing list modified the body by appending a footer)
> 
> *and/or*

If the appended signature was the only problem then it could be fixed by using 
the l= flag when generating the DKIM signature.

There's also the modification of the Subject: header, but that's something that 
can be fixed too.

The biggest problem at the moment is that Mailman rewrote the DKIM signature 
header to use spaces instead of tabs.  While it seems to be standards 
compliant to rewrite headers like that both OpenDKIM and libmail-dkim-perl 
will report such messages as invalid.

If we wanted the list to pass messages with valid DKIM signatures then here is 
what needs to be done:

1)  Turn off Subject munging.
2)  Turn off the list footer.
3)  Make Mailman not munge the DKIM header - or install a milter that reverses 
such munging (which is quite trivial in terms of message editing).

But it's much easier to just change the From: header to the list address.

> b) According to DMARC, the domain in the "From:" header must match the
> domain used to validate SPF (hence not an SPF error, per se)
> 
> Although this might be desired behaviour, it's possible the strict
> policy may have been set while overlooking this unanticipated
> consequence.

It's expected that when you add new anti-spam features that there will be some 
false positives.  But everyone else will just deal with it eventually, and 
that includes list servers configuration being changed to work with it.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/