On Wed, May 10, 2023 at 09:50:24AM +0200, Jaroslav Kysela wrote:
It is perfectly possible to operate a mailing list server and be DMARC-compliant (at least for DKIM-signed messages) without requiring any of the horrible things mailman-3 is doing:
https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html
I wish that it was as easy.
It is. We've been operating DMARC-compliant mailing lists for many years now without needing to mangle any messages.
I don't see any references to RFCs in this text, so we cannot verify the contents. As our mailing list does not modify the headers and body, the DKIM is correct for our messages, but it does not work practically (the mitigation was turned on recently, so I know how many bounces were present).
Can you please show me the message that was no longer DMARC-compliant after passing through your mailing list server? I will point out what made them non-DMARC-compliant, and it won't be some builtin incompatibility between DMARC and mailing lists.
Also, RFC7960 does not describe this:
https://datatracker.ietf.org/doc/html/rfc7960#section-4.1.3
especially:
These talk specifically about messages that were modified by the mailing list software.
and see note in:
https://datatracker.ietf.org/doc/html/rfc7960#section-3.2.3.1
So "keep everything unmodified" for DKIM is just only one part of the problem. Perhaps, there's a RFC update somewhere which adds another note.
I can demonstrate to you millions of email messages that passed through the mailing list that are still perfectly DMARC compliant -- you seem convinced that it's not possible. For example, here's the authentication header set by GMail for a message that I recently received via the tools mailing list:
Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=YVg2o3VH; spf=pass (google.com: domain of [omitted]@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=[omitted]@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
So, I'm just going to repeat this: operating a mailing list and remaining DMARC compliant is perfectly possible, provided:
- the original message is DKIM-signed - all existing headers are unmodified - the message body is unmodified
-K