On Sat, 20 Jul 2024, James Ralston wrote: > On Thu, Jul 18, 2024 at 5:14 AM Stuart Henderson <stu@xxxxxxxxxxxxxxx> wrote: > > The mail admins can choose what is covered by the DKIM signature. > > In the case of barclays.com there are various headers (which I think > > make it through the mailing list untouched) but also the body, which > > does not; a footer with the list URL is added. > > The real issue here is that the Mailman configuration for the > openssh-unix-dev list does not appear to set `dmarc_moderation_action` > (in `Privacy options` - `Sender filters`) to either `Munge From` or > `Wrap Message`, which is necessary for lists where either of the > following is true: > > 1. The list accepts posts from senders whose domain applies DMARC > policy (`p=reject` or `p=quarantine`) but only implements SPF, not > DKIM. (Resending a message through a mailing list will always > invalidate SPF unless SRS (1) is used, and almost no one bothers > with SRS.) > > 2. The list accepts posts from senders whose domain applies DMARC > policy (`p=reject` or `p=quarantine`), and the list is configured > to modify messages sent to the list (add a Subject: header tag, add > a footer, et. al.). (Modifying messages will invalid the DKIM > signature.) > > When affected senders (either group #1 or group #2) post to the list, > all list subscribers whose MTAs apply/obey DMARC policy will take the > action the sender’s domain’s DMARC policy declares (reject outright, > or quarantine / flag as spam). > > Damien, is there any possibility of updating the Mailman > `dmarc_moderation_action` setting (2)? DMARC isn’t going anywhere; > the big mail providers are either already requiring it to some > degree (3), or have said they will start requiring it soon. Thanks, I've set this option and will trial it for a couple of weeks. If nothing breaks then I'll make it permanent. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev