[Mailman-Users] DKIM best practise

Yasir Assam mail at endlessvoid.com
Mon Jun 22 04:32:23 CEST 2015

Many thanks for your response Mark.

Comments below.

On 22/06/2015 1:46 AM, Mark Sapiro wrote:
> On 06/20/2015 06:39 PM, Yasir Assam wrote:
>> I'm using mailman 2.1.18 on Debian Jessie with exim4. I have full
>> personlisation and verp turned on.
>> What should I do about DKIM?
>> At the moment I preserve the original poster's DKIM header and my list's
>> MTA also adds DKIM to all outgoing mail.
> This is the good and is the best you can do.

I noticed that this list, mailman-users at python.org, doesn't add a DKIM
header unless the list itself generates the email, i.e. the email you
sent to this list only has your DKIM header (d=msapiro.net), whereas the
original welcome email has DKIM with d=python.org. On my list, I'm
adding a DKIM header for the list domain, even though the From: header
isn't the list. In other words, if alice at gmail.com posts to
list at example.com, my MTA was still adding a d=example.com DKIM header
when resending her email via the list, even when From: is alice at gmail.com.

Is it right to do this?

I subscribed to mailman-users at python.org using a Yahoo address, and
interestingly, 2 emails ended up in spam (one of which was my original
post, which is from a non-yahoo address).

>> If I set from_is_list to Munge, hotmail users can't reply to the list,
>> even when they hit Reply All (if I try doing Reply All from a hotmail
>> account, I only see the sender's address, not the list address). If it
>> wasn't for this hotmail problem, I'd probably prefer to have a munged
>> from header.
> With Munge From and Full Personalization, delivered posts will be From:
> the list with Reply-To: the poster and To: the recipient. Hotmail is
> taking the Reply-To: as overriding the From: even for reply-all and with
> Full Personalization, the From: is the only header (other than
> List-Post) with the list address.

This isn't quite true in my case. You're right about all the headers,
except that Mailman is adding a CC field with the list address. To be
clear, using Full Personalisation and Munge From:

From: list address
Reply-to: poster
To: recipient
CC: list address

Given that CC contains the list address, you'd expect Hotmail to include
it as a recipient when doing Reply All, but it doesn't!

>> If I set from_is_list to No, the hotmail Reply All problem goes away,
>> but now Yahoo-sent email ends up in Yahoo's spam (i.e. if
>> bob at yahoo.com.au sends to list at example.com, bob receives the email he
>> just posted in his spam folder, not in his inbox). I'm specifically
>> talking about a yahoo.com.au address (I haven't tried yahoo.com yet).
> Yahoo.com.au publishes DMARC p=none. Yahoo.com publishes DMARC p=reject.
> Without some Munge From, Wrap Message or anonymous_list transformation,
> yahoo.com mail will not be accepted by Yahoo, Hotmail and many other ISPs.

Yes, I read about this recently. My test list doesn't yet contain any
yahoo.com addresses.

> As far as the mail from yahoo.com.au ending up in spam, removing the
> broken DKIM sig may help (REMOVE_DKIM_HEADERS = 2). It shouldn't matter
> (see below), but it may help.

I think I tried this but it didn't make a difference to Yahoo's spam filter.

>> Just to be clear, when from_is_list is No, the DKIM header I'm adding is
>> for the list domain, e.g. if the list is list at example.com then
>> d=example.com in my added DKIM header.
>> Here's an example Authentication-Results added by a gmail subscriber
>> receiving a post from a yahoo.com.au subscriber (names changed):
>> Authentication-Results: mx.google.com;
>>        spf=pass (google.com: domain of
>> list-bounces+bob=gmail.com at example.com designates x.x.x.x as permitted
>> sender) smtp.mail=list-bounces+bob=gmail.com at example.com;
>>        dkim=pass header.i=@example.com;
>>        dmarc=fail (p=NONE dis=NONE) header.from=yahoo.com.au
>> So what is the recommended way of doing this? Should I not bother adding
>> a DKIM header to mailman-sent emails? Should I strip the original DKIM
> What you are doing is correct and good practice. Removing incoming DKIM
> headers probably won't help. The DKIM standard says an invalid DKIM
> signature and no DKIM signature SHOULD be treated the same (RFC 6376/STD
> 76, sec 6.3)
>> Is there any way I can get hotmail to reply to the list when the From:
>> header is munged? Is munging considered bad form (when not mitigating
>> DMARC reject policies)?
> There are a few things you can do.
> You can turn off Full Personalization which will leave the list address
> in To: and Hotmail's reply-all should include it.

Hotmail doesn't include it. I tried Full Personalisation off, Munge on,
with the following headers:

From: list address
Reply-to: poster
To: list address

In Hotmail, Reply All only includes poster, not list address (despite
list address appearing in To field)

> You can set reply_to_list to this list which will put the list address
> in Reply-To: (along with the poster's address), but this will make it
> more difficult to reply only to the poster as a simple reply will also
> include the list.

I used to have this on years ago, and what happened was that repliers
were sending private mail to the whole list when they only intended it
for the original poster. I ended up getting complaints and had to turn
it off.

> There are some changes in this area in 2.1.19 (see
> <https://bugs.launchpad.net/mailman/+bug/1407098>), but I don't think
> they help your situation.
> You could modify CookHeaders.py to add the poster's address to Cc:
> rather than Reply-To: in your case.

If munging is on, and I put the poster address in CC: rather than
Reply-to: won't that mean a single Reply (not Reply All) will go to the
list address?

> You should also consider using dmarc_moderation_action rather than
> from_is_list to only Munge From when 'necessary'.

The reason I tried from_is_list = Munge is because I wanted valid DKIM
headers (added by my MTA). When I used Munge with DKIM added to all list
mail, yahoo didn't mark any mail as spam. I would have stuck with it if
I didn't have the hotmail Reply All problem.


More information about the Mailman-Users mailing list