[Mailman-Developers] feature request: one-click setting to preserve DKIM

[Murray S. Kucherawy]

> -----Original Message-----
> From: mailman-developers-bounces+msk=cloudmark.com at python.org [mailto:mailman-developers-bounces+msk=cloudmark.com at python.org] On Behalf Of Barry Warsaw
> Sent: Monday, December 05, 2011 4:54 PM
> To: Monica Chew
> Cc: Terri Oda; mailman-developers at python.org
> Subject: Re: [Mailman-Developers] feature request: one-click setting to preserve DKIM
> 
> On Dec 05, 2011, at 03:50 PM, Monica Chew wrote:
> >Having worked in the DKIM-for-anti-phishing space for a couple of
> >years, there is no good way to solve the DKIM problem in Mailman.
> 
> I think this is the one big lesson from these discussions: DKIM is
> mostly incompatible with mailing lists.  Where the two must be
> integrated, some usability will likely be compromised.

It depends on your expectations.  If there's an expectation that the author's signature will/should/must persist through a mailing list, then I agree that they're largely incompatible.  If on the other hand you intend for lists to re-sign mail and for receivers to evaluate the message based on the list signature rather than the author signature, then it's entirely workable.  Of course, sometimes the author signature will indeed survive, and then you have two domains to evaluate instead of one.  Bonus!

As Monica points out, DKIM itself is oblivious to the context in which it's being used.

> I'm no DKIM expert by far, but it seems to me that a mailing list
> message has enough clues that a DKIM verifier could do a better job at
> helping recipients make good choices.  For example, all Mailman
> messages have a List-Id header that contains the domain name hosting
> the list server.  With re-signing, why couldn't you verify the
> signature against the List-ID host instead of the original sender?

You could.  The issue isn't that doing so is wrong or impossible.  It's simply that those semantics aren't built into DKIM, largely because we have no evidence that that's a useful test.

The ESP community has argued that third-party signatures (those different than the one in the From: field) shouldn't be valued any less than one that does match, for various reasons.  That argument was apparently persuasive.

ADSP, and a draft I'm advancing called ATPS, extend DKIM's semantics to do more than just say "domain X handled this message" (which is really all a valid DKIM signature tells you).  They both attempt to say things based on whether the domain delivered as part of a valid DKIM signature matches some identifier in the message, like the domain in the From: or in the List-ID field.  If Mailman (or an MUA, or a filter, or something) implements such checks and finds that it's operationally beneficial to end users do so, then it could publish that mechanism in an RFC or elsewhere, and people could start to use it.  The resistance isn't that this is a bad idea, but just that there's no evidence to back it up that would justify its standardization.

The trick, of course, is not just to do something like this, but to get MUA buy-in.  That is, when a signature validates and it presents a domain name that matches some identifier, change the presentation of the message to show this in some meaningful way.  And then make sure in doing so that you don't inadvertently discredit legitimate messages for which that's not true.

-MSK