[Bug 557493] [NEW] Mailman must not strip DKIM-Signature headers

James Ralston ralston at pobox.com
Wed Apr 7 20:21:11 CEST 2010

Public bug reported:

I reviewed the discussion that led to the decision to have Mailman strip
DomainKey-Signature and DKIM-Signature headers:


This may have been the correct action to take in 2006. But since then,
the DKIM standard has been finalized (RFC4871), and it contains:

3.5.  The DKIM-Signature Header Field

   The DKIM-Signature header field SHOULD be treated as though it were a
   trace header field as defined in Section 3.6 of [RFC2822], and hence
   SHOULD NOT be reordered and SHOULD be prepended to the message.

RFC2822 defers to RFC2821, which has been replaced by RFC5321, which

4.4.  Trace Information

   An Internet mail program MUST NOT change or delete a Received: line
   that was previously added to the message header section.  SMTP
   servers MUST prepend Received lines to messages; they MUST NOT change
   the order of existing lines or insert Received lines in any other

Ergo, Mailman MUST NOT strip DKIM-Signature headers. Even if Mailman
knows that actions it will take with the message will invalidate one or
more DKIM-Signature headers, those (now-invalid) signatures MUST be left
intact. DKIM-Signature headers must be treated exactly like trace
(Received) headers.

This isn't simply a case of doing the right thing just for standards
compliance: although DKIM states that MTAs can't treat the lack of a
DKIM signature any differently than an invalid DKIM signature, the
presence of a DKIM-Signature header (even invalid) is a consumable item
for MUAs; e.g., a token for Bayesian anti-spam systems. (For example, we
currently receive *zero* spam with forged DKIM-Signature headers for our
own domain. Zero. Thus, even an invalid DKIM-Signature header is
incredibly useful to have.)

The fix for this is simple; just remove this line from

    del msg['dkim-signature']

As for DomainKeys, although the DomainKeys protocol is now historical,
RFC4870 states:

3.5.2.  Determining Whether an Email Should Be Signed

   A signer MUST NOT sign an email that already contains a "DomainKey-
   Signature:" header unless a "Sender:" header has been added that was
   not included in the original signature.  The most obvious case where
   this occurs is with mailing lists.

   A signer SHOULD NOT remove an existing "DomainKey-Signature:" header.

The difficulty here is that the signer (downstream from Mailman) cannot
guarantee that a Sender header was added that was not included in the
original signature, but it is forbidden from adding another DomainKey-
Signature header if that wasn't the case. I suspect this is why many
(most?) DomainKeys signers simply refrain from signing if a DomainKey-
Signature header is already present, which is the behavior that Joe
Peterson observed, and led to the decision to unconditionally strip all
DomainKey-Signature and DKIM-Signature headers.

Thus, I think Mailman stripping DomainKey-Signature headers is probably
still the best choice; leaving them will all but guarantee that any
downstream DomainKey-signer will refrain from generating a DomainKey-
Signature. This isn't optimal, of course, but implementation ambiguities
like this are why DomainKeys is now historical.

But Mailman absolutely needs to cease stripping DKIM-Signature headers.
(And really, CleanseDKIM.py should be renamed to CleanseDomainKeys.py.)

** Affects: mailman
     Importance: Undecided
         Status: New

Mailman must not strip DKIM-Signature headers
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

More information about the Mailman-coders mailing list