Change to Mail Infrastructure - SPF and DKIM verification will now be enforced

Ben Cooksley bcooksley at kde.org
Tue Dec 8 09:19:51 GMT 2015


Hi all,

The following is a guide which explains the problem, and how to correct it.

SPF is a mail protocol designed to ensure a given mail server is in
fact permitted to send email for a domain. It protects the return path
component of an email, and helps protect against back scatter attacks,
and to a certain extent makes it more difficult to falsely send mail.
Please see https://en.wikipedia.org/wiki/Sender_Policy_Framework for
more information.

DKIM is a mail protocol designed to authenticate that the purported
sender of an email actually sent the email. It does this by signing
(using a public/private key mechanism) the mail body and some headers
of the email and including this signature in the headers of the email,
in the DKIM-Signature header. Many mail providers already implement
this standard and use it to make spam filtering decisions. Technical
details on how it works can be found at
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

DMARC is a mail protocol designed to clarify policy enforcement and
reporting around the pre-existing SPF and DKIM protocols. To date,
while both of them defined what was valid and invalid, they did not
state what actions should be taken if SPF or DKIM validation failed.
DMARC allows domain administrators to provide this information to
outside parties, and receive reports back regarding compliance -
particularly in the case of failures, to aid in detecting phishing and
configuration errors. Please see https://en.wikipedia.org/wiki/DMARC
for more information.

In regards to mailing lists, DKIM (and therefore DMARC as well) causes
some problems, as rather common features - such as appending of
footers and modifying subjects will break DKIM signatures. This in
turn may lead to hosts which perform DKIM validation not accepting
emails from the mailing list where the sender of the email signed it.
Considering that Google & Yahoo among others have implemented this, a
decent proportion of email landing on lists will likely be signed.

To date this has not caused major issues, as DKIM was not being
enforced. With the advent of DMARC however, providers are now
beginning to enforce valid DKIM signatures.
This requires mailing list administrators to take steps to ensure
everyone is still able to subscribe and post to their mailing lists.

A detailed overview of possible actions which can be taken is
available at http://wiki.list.org/DEV/DMARC (for Mailman at least, the
steps are broadly applicable to other software as well however).

The easiest and least invasive way of correcting this problem is to
stop modifying emails. This can be accomplished for Mailman lists by:
a) Clearing the "subject_prefix" setting
b) Clearing "msg_header" and "msg_footer"
c) Disabling "scrub_nondigest" and "first_strip_reply_to"

Depending on who posts to your list, you may also need to:
a) Set "reply_goes_to_list" to "Poster"
b) Set "include_sender_header" to "False".

Note that the second set of changes should not be necessary in most cases.

These changes will make your mailing list DMARC compliant, and will
ensure that everyone is able to subscribe to, and respond to, postings
on your list without inconveniencing the mail systems of anyone else
on the list.

Hope the above helps. Feel free to pass it on to any mailing list
admin who needs it.

Regards,
Ben




More information about the kde-core-devel mailing list