I've noticed of late that emails sent by yahoo users that get relayed by mailman end-up without the domainkey header entry [1] and thus in various yahoo users' bulk (ie. spam) folder. Is there anything that can be done to remedy this issue ? Can a site's mailman application add a locally qualified domainkey entry header (or keep the original entry as-is) ? If so, how and/or is there a place I can read more about this (didn't see any mention in the FAQ).
[1] http://antispam.yahoo.com/domainkeys
Regards,
- Nadim
Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
"Nadim" == Nadim Shaikli <shaikli@yahoo.com> writes:
Nadim> I've noticed of late that emails sent by yahoo users that
Nadim> get relayed by mailman end-up without the domainkey header
Nadim> entry and thus in various yahoo users' bulk (ie. spam)
Nadim> folder. Is there anything that can be done to remedy this
Nadim> issue ? Can a site's mailman application add a locally
Nadim> qualified domainkey entry header (or keep the original
Nadim> entry as-is) ?According to the DomainKeys FAQ:
How does DomainKeys work with mailing lists?
Mailing lists that do not change the content or re-arrange or append headers will be DomainKey compatible with no changes required. Mailing lists that change the message and headers should re-sign the message with their own private key and claim authorship of the message.
Unfortunately, standard mailing lists will change/append certain headers, breaking the signature. Specifically, Mailman does change the Sender header, which means DomainKeys can't just pass through. You need to re-sign.[1]
Based on that page, AFAICT it would be a bad idea for list management software like Mailman to support DomainKeys itself[1], except that it should optionally be configured to check for DomainKeys flags from the incoming MTA, and optionally submit the mail to the DomainKeys submission service port instead of SMTP for outgoing nail. Mailman supports both of those configurations already. Then you should get an MTA that supports DomainKeys (see the DomainKeys FAQ for a list), and you'll also have to fix up your DNS to publish the keys.
Note that it's unclear whether implementing DomainKeys yourself will help very much, as it depends on whether the users care which domain has been authenticated, or if simply proving that you're not a spoof is enough. Probably most users will just look for unspoofed mail and let it through, and you'll be fine, but that depends on your user base. You may have to educate them to add your domain to the list they accept.
Footnotes: [1] It looks to me like "claim authorship" is in error. As far as I can tell from the DomainKeys page, DomainKeys verifies the sending domain, not the author's domain, although the page refers to authors and From several times.
[2] Mailman is just one user of the typical system, and is not the domain "owner". Since DomainKeys authenticates domains rather than users, it should be done by the domain's mail server, not by user mail agents. (You have to reconfigure the DNS even if the mailing list manager does the signing, so even with signing implemented in Mailman you would need very high administrative privilege to implement DomainKeys.)
-- School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN Ask not how you can "do" free software business; ask what your business can "do for" free software.
participants (2)
-
Nadim Shaikli -
Stephen J. Turnbull