Change to Mail Infrastructure - SPF and DKIM verification will now be enforced

[Jan Kundrát]

On Thursday, 3 December 2015 07:13:07 CET, Ben Cooksley wrote:
> I will be re-enabling DKIM validation in one week's time - which will
> then break subscriptions to Debian mailing lists (as any email from
> anyone who has enabled DKIM which hits their lists will not be
> accepted by KDE email infrastructure)

Ben, could you please briefly explain your idea about how a complying 
mailing list service should behave? Suppose that I have an installation of 
mlmmj which:

- mangles the Subject header,
- preserves the original From header,
- maybe replaces a Reply-To with the ML's address,
- introduces a bunch of specific List-* headers,
- otherwsie doesn't manipulate the MIME tree or the message texts.

What should I do to make sure that this service continues working once you 
flip the switch?

I would like to have more information about what you mean by "DKIM 
validation" -- what specific steps are you going to introduce, and how is 
the end result going to react to a missing or invalid DKIM signatures.

Also, quoting RFC 6376, section 6.3:

   In general, modules that consume DKIM verification output SHOULD NOT
   determine message acceptability based solely on a lack of any
   signature or on an unverifiable signature; such rejection would cause
   severe interoperability problems.  If an MTA does wish to reject such
   messages during an SMTP session (for example, when communicating with
   a peer who, by prior agreement, agrees to only send signed messages),
   and a signature is missing or does not verify, the handling MTA
   SHOULD use a 550/5.7.x reply code.

That seems in line with what e.g. GMail is doing, only enforcing DKIM 
validation for notoriously faked domains like eBay and PayPal where the 
phishing potential is high.

With kind regards,
Jan

-- 
Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/