
My own personal feeling is that having lists re-sign messages is the best expectation to put forward. You're subscribed to a mailing list, so you trust that list much more than you trust the senders on that list. So having the mailing list site re-sign the outgoing messages seems to me to be best practice. My inclination is that removing the original author's signature first is not entirely inappropriate.
This is why Google Groups removes incoming DKIM signatures and re-signs, because chances that the original signature survives are vanishingly small given most people's list settings.
Note too that Mailman supports anonymizing list traffic to the extent that it would wipe out the original From header. Some lists turn this on for a higher degree of privacy than you see on most open discussion lists. In that case, the From header would look like it's coming from the mailing list, and then it would make the most sense to remove any original signature and leave only the list's signature.
If From is wiped out, great! Problem solved, at least for me.
The trick, of course, is not just to do something like this, but to get MUA buy-in. That is, when a signature validates and it presents a domain name that matches some identifier, change the presentation of the message to show this in some meaningful way. And then make sure in doing so that you don't inadvertently discredit legitimate messages for which that's not true.
Right. So, Gmail is probably the 800lb MUA gorilla here. Monica, do you have any thoughts on how you could run such an experiment and find out what is most useful to your users?
In a sense we are already experimenting here. For example, this year there are new UI warnings when the payload From says gmail, but the message is not signed by Gmail (https://mail.google.com/support/bin/answer.py?answer=185812).[1] This either appears as a "this message was sent via <DKIM or SPF domain>" informational bar or more serious warning, "this message may not have been sent by foo@gmail.com", if the message doesn't authenticate at all. Needless to say this is affecting lots of list traffic, and many people don't like it:
http://snowulf.com/2011/06/29/gmail-thinks-this-message-may-not-have-been-se... http://www.yellowjug.com/how-to/gmail-phishing-alert-mailman-mailing-lists-s... http://www.drake.org.uk/2011/06/googles-new-gmail-phishing-detection-system-...
The pipe-dream fix for this, at least as far as mailing lists go, is to do better mailing list detection on the recipient side and maintain a list of lists that the user belongs to for suppressing warnings. We can't just ignore all mail that has a List-Id, though, because that's much too easy to forge.
Thanks, Monica
[1] Why are we doing this? Well, it turns out that account hijacking has been a huge problem in the last couple of years, and along with theft of contact information phishing scams have gotten more sophisticated, appearing to come from people that you know. Since Gmail signs all outbound mail adding warnings was one easy way to warn users when they get mail from someone pretending to be their contact but not actually coming from Gmail.