Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 940318

Summary: Strict DMARC policy makes list participation hard or impossible
Product: Gentoo Infrastructure Reporter: Wolfgang Müller <wolf>
Component: Mailing ListsAssignee: Gentoo Infrastructure <infra-bugs>
Status: UNCONFIRMED ---    
Severity: normal CC: thican, wolf
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: RFC822 headers
RFC822 headers, with valid DKIM

Description Wolfgang Müller 2024-09-26 21:59:16 UTC 
With a DMARC policy of p=reject, it is currently hard to impossible to participate in the Gentoo mailing lists. It seems that mlmmj rewrites or adds headers, invalidating the DKIM signature. Then, with a strict DMARC policy, compliant mail servers reject the forwarded mail.

From a cursory look I think the problem is the Reply-To header, which is added on forwarding. Reply-To is listed in Section 5.4.1 "Recommended Signature Content" of RFC 6376 [1] and is usually included in the list of headers to sign.

Whilst Google Mail, for example, signs this header, it does not specify a reject policy, having compliant mail servers ignore DKIM failure and deliver the mail.

I'd rather not relax my DMARC policy - especially since I can't do so on a per-recipient basis. Is there any hope to determine the issue and fix the mlmmj setup such that hosts with p=reject can participate again?

For reference, a mail that I sent today that went seemingly ignored (even though the archives picked it up) is at [2]. Right after sending the mail I got around 10 failure reports (through ruf=) from various servers, notifying me about the failure. I've not seen any DKIM failures with my setup before, so I'm pretty sure it's not on my side.

[1] https://datatracker.ietf.org/doc/html/rfc6376#autoid-53
[2] https://public-inbox.gentoo.org/gentoo-user/vidx57mvvadafgi233xusfug3papjiussz6puxc5vy562g4rl3@g3wdlrmiybez/T/#m30c69615cb5d76df78b89253a6e5da91aa304b29

Reproducible: Always

Steps to Reproduce:
1. Send mail to a Gentoo mailing list
Actual Results:  
Some subscribers reject the mail because of a DKIM failure.

Expected Results:  
The mail content is not touched, DKIM verification succeeds, and all subscribers receive the message.
Comment 1 Wolfgang Müller 2024-09-27 10:07:27 UTC 
Now that the aggregate reports have started to arrive I can give some more info on how failures are handled. Most mail services seem to compliantly reject mail. Some bigger services (I have reports by fastmail.com and google.com) seem to implement certain heuristics for mailing lists and downgrade the policy from reject to quarantine (in Google's case "quarantine with a phishing warning").
Comment 2 Thibaud CANALE 2025-03-07 11:52:09 UTC 
Created attachment 920325 [details]
RFC822 headers

I confirmed I recently got so many DMARC failure reports when I sent an email to gentoo-dev@l.g.o because the DKIM verification fails. Depending on the DMARC policy of the sender, which is `p=reject` for my domain name, and the respect of this policy by the receivers, emails can be quarantines in spam or simply not in destination.
I think I can pinpoint where the problem actually occurs, at least for my situation.

Here in attachment I copied the RFC822 headers I got from the email back from the ML.

Example of a report (not from the same email as the attachment):
```
Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.4.2
Auth-Failure: dmarc
Authentication-Results: OpenDMARC; dmarc=fail header.from=thican.net
Original-Envelope-Id: 3B67920294
Original-Mail-From: gentoo-dev+bounces-103203-blackwell=disroot.org@lists.gentoo.org
Source-IP: 140.211.166.183 (woodpecker.gentoo.org)
Reported-Domain: thican.net
```

I use OpenDKIM to sign my outgoing emails, and in the example of my attachment, we can see this milter creates its signature of the following headers: Date, From, To, Cc & Subject, as reported by field "h".
```
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=thican.net; s=cyborg;
	t=1741113467; bh=AMti8ZZ127HC2lkRJtoow2JeMQgkSl1q7BbBnO/xGH8=;
	h=Date:From:To:Cc:Subject;
	b=[…]
```

And because the ML modifies the Subject to prepend `[gentoo-dev] `, the DKIM signature is then faulty, hence the reports.

I still think modifying the subject when communicating on a ML is important. Maybe is it then necessary to remove the DKIM signature? I notice the Gentoo "mail server" (the MTA, IIRC?) does not have a DKIM verification on its own upon arrival, maybe it could improve the situation.

I also know for experience it is also possible to add multiple headers for Subject for example, and only the last one is used to display the subject in the mail clients, but I am not sure if this is not a violation of the standards in place. In case this is possible, maybe adding this second Subject with the prepend could keep the previous Subject for validating the DKIM signature?

WDYT?
Comment 3 Thibaud CANALE 2025-03-07 21:39:15 UTC 
Created attachment 920342 [details]
RFC822 headers, with valid DKIM

As a test (originally an update on the news item) I set the subject with the ML tag so the service does not need to modify, and once the ML forwarded my email, the DKIM signature remains valid as verified by my own service.

See attachment for verification.

Therefore it confirms as expected this is just a modification of the signed header which creates this issue. Not sure however how to find a reliable solution to this issue, asking ML users to set themselves the tag is not appropriate, and we should keep the prepending in the subject as it is valuable when receiving emails.

I still think a DKIM verification could be a valuable information by the ML, no idea if it is a best practice.