[Mailman-Developers] feature request: one-click setting to preserve DKIM

Wed Dec 7 00:58:00 CET 2011

> My own personal feeling is that having lists re-sign messages is the best
> expectation to put forward.  You're subscribed to a mailing list, so you trust
> that list much more than you trust the senders on that list.  So having the
> mailing list site re-sign the outgoing messages seems to me to be best
> practice.  My inclination is that removing the original author's signature
> first is not entirely inappropriate.

This is why Google Groups removes incoming DKIM signatures and
re-signs, because chances that the original signature survives are
vanishingly small given most people's list settings.

> Note too that Mailman supports anonymizing list traffic to the extent that it
> would wipe out the original From header.  Some lists turn this on for a higher
> degree of privacy than you see on most open discussion lists.  In that case,
> the From header would look like it's coming from the mailing list, and then it
> would make the most sense to remove any original signature and leave only the
> list's signature.

If From is wiped out, great! Problem solved, at least for me.

>>The trick, of course, is not just to do something like this, but to get MUA
>>buy-in.  That is, when a signature validates and it presents a domain name
>>that matches some identifier, change the presentation of the message to show
>>this in some meaningful way.  And then make sure in doing so that you don't
>>inadvertently discredit legitimate messages for which that's not true.
>
> Right.  So, Gmail is probably the 800lb MUA gorilla here.  Monica, do you have
> any thoughts on how you could run such an experiment and find out what is most
> useful to your users?

In a sense we are already experimenting here. For example, this year
there are new UI warnings when the payload From says gmail, but the
message is not signed by Gmail
(https://mail.google.com/support/bin/answer.py?answer=185812).[1] This
either appears as a "this message was sent via <DKIM or SPF domain>"
informational bar or more serious warning, "this message may not have
been sent by foo at gmail.com", if the message doesn't authenticate at
all. Needless to say this is affecting lots of list traffic, and many
people don't like it:

http://snowulf.com/2011/06/29/gmail-thinks-this-message-may-not-have-been-sent-by-you/
http://www.yellowjug.com/how-to/gmail-phishing-alert-mailman-mailing-lists-spf-record/
http://www.drake.org.uk/2011/06/googles-new-gmail-phishing-detection-system-hates-mailman/

The pipe-dream fix for this, at least as far as mailing lists go, is
to do better mailing list detection on the recipient side and maintain
a list of lists that the user belongs to for suppressing warnings. We
can't just ignore all mail that has a List-Id, though, because that's
much too easy to forge.

Thanks,
Monica

[1] Why are we doing this? Well, it turns out that account hijacking
has been a huge problem in the last couple of years, and along with
theft of contact information phishing scams have gotten more
sophisticated, appearing to come from people that you know. Since
Gmail signs all outbound mail adding warnings was one easy way to warn
users when they get mail from someone pretending to be their contact
but not actually coming from Gmail.