[BALUG-Admin] BALUG-Talk and SPF/DKIM

[Rick Moen]

Cc'ing balug-admin.

Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):

> I did also try some testing ... posted from @gmail.com, @yahoo.com, and
> at least two different ways from another ISP ... and I didn't spot any
> issues posting (used BALUG-Test for such tests).  And, I think both
> Gmail and Yahoo! are relatively heavy on the use of SPF and DKIM
> (and/or DMARC?) 

To clarify, DMARC is an omnibus package, invented by Yahoo, of
anti-forgery technologies that incorporates Yahoo's DKIM (DomainKey
Identified Mail, a successor to Yahoo's DomainKeys) and Meng Wong's SPF.

Mailing list manager (MLM) package have no problem with SPF because 
they supply an entirely fresh SMTP envelope on the retransmission to
subscribers.  In this, they differ from cross-system /etc/aliases and
~/.forward entries, which do _not_ supply a new envelope.

MLM packages have big problems with Yahoo's standards (the DKIM portion
of DMARC, and legacy DomainKeys) because MLM's modifications to posting
text and headers upon retranmission to subscribers have a strong tendency 
to break DKIM's (and DomainKeys's) cryptographic attestation about the
integrity of the text and headers.

The specific Mailman munging kludge I recommended addresses this problem
by dumbing down Mailman's treatment of the internal 'From: ' header
where necessary to avoid breaking DKIM (/DomainKeys) attestation.  The
cost of this is grievous, substitution of the mailing list's originating
address for the user's, but this is the least amount of damage that
appears able to make Mailman cope with what IMO is a really crappy and
MLM-hostile antiforgery design.

I _really_ detest DKIM and DMARC, and think Yahoo, Inc. botched them,
but detesting them doesn't make them go away.  And naturally yahoo.com
is the worst offender in deploying an aggressive DMARC policy, with
GMail not far behind.

OTOH, if you say your test mailings from those domains worked, good.
I hope that continues.