Change to Mail Infrastructure - SPF and DKIM verification will now be enforced

Ben Cooksley bcooksley at
Tue Dec 8 07:21:03 GMT 2015

On Tue, Dec 8, 2015 at 2:19 AM, Martin Graesslin <mgraesslin at> wrote:
> On Friday, December 4, 2015 11:28:03 AM CET Jan Kundrát wrote:
>> On Friday, 4 December 2015 10:56:42 CET, Ben Cooksley wrote:
>> > Note that in the long run with DMARC looming you will need to switch
>> > to #2 anyway, and keeping your current behaviour will likely lead to
>> > mail from people who use Yahoo / AOL / etc ending up in the spam
>> > folder with many mailing list members. I'll be starting a discussion
>> > regarding taking this step on KDE systems at some point in the near
>> > future (switching to DMARC compatible policies).
>> >
>> > For more information, please see
>> Do I understand your plan correctly? The following projects appear to not
>> re-sign their ML traffic, and they mangle headers at the same time. If I
>> understand your plan correctly, this means that I won't be able to use my
>> addresses on mailing lists of these projects, for example:
>> - Qt,
>> - Debian,
>> - Gentoo,
>> - OpenStack,
>> - anything hosted at SourceForge,
>> - and many, many more, essentially anybody who were ignoring DKIM.
>> Please, change your plans, this is obviously a huge no-go.
> this looks like a huge problem. Could this be rolled out in two phases: one
> where a big fat warning is added in some way, so that we can inform our
> mailing list masters about the breakage and then a slow enforcement?

You can examine the "Authentication-Results" header from any mail that
passes through mail infrastructure to determine if it is
These headers should be added by any system which is performing DKIM
validation (even if it takes no action based on it) - Google at least
also adds these headers.

> Kicking out from important stakeholders doesn't look right to me. And
> it's not like we would notice. It might take quite some time till we notice no
> longer incoming mails in mailing list folders. And not everybody read this
> thread and understood the implications. I do not know how to verify that a
> mailing list sends correctly and there are important mailing lists I'm
> subscribed to with low traffic.

You would still get the list subscription suspended message from the
list, as these are generated by Mailman itself.
They would only fail if they had tried to setup DKIM and made a mistake.

> So: can we do something to notify non compliant mailing lists? And what if
> they don't act on it? If for example is slow on it the
> solution cannot be to effectively kick out kde from I'm not
> going to subscribe there with my private mail address, because it's important
> to be there with an address.

I would suggest mailing the list administrator or server
administrator's of the mailing lists in question. Nobody else really
has the power to fix it.

The actual server administrators aren't required to take any action as
long as you have the assistance of someone who can administrate the
mailing list, at least with Mailman.
You will only need the assistance of the server administrator if
they've done something stupid - like enabling sitewide stripping of
DKIM headers.

In terms of what we should do - that will depend on their response....

> Cheers
> Martin


More information about the kde-core-devel mailing list