> It wasn't spam that broke it, but the Big N "solutions" to spam like DKIM.
There are no other viable or better alternatives. > Mails, which fail a DKIM verification can only be discarded safely, when the _adsp record of the sender says dkim=discardable in all other cases, the mail should get delivered, see under [...] RFC 5617 is historic/deprecated, it has never been usable anywhere. > This DKIM issue can only be addressed from your admin to take into account, that mailing list software do exist, are used and aren't 100% compatible with DKIM, and as well that some admins configure DKIM in a bad way for mailing lists. It's very simple, a mailing list MUST respect the sender domain's DMARC. If you break DKIM you must rewrite From, add your own DKIM. You might want to remove the broken signature if some goofball rejects letters based on just DKIM fail. If the incoming letter does not have DKIM but the sender domain does have SPF, then you must rewrite From (and always add your own DKIM). If you don't break DKIM then you're good (unless some other goofball follows SPF fail instead of DKIM pass/DMARC pass). ARC is strongly recommended in all cases, but if you just break the chain, you should remove it entirely. It's just how it is, forgery and phish are real problems, things have to adapt to stay secure. On Tue, Dec 12, 2023 at 8:19 PM Adrian Zaugg < [email protected]> wrote: > Hi Joe > > Your admin should be more precise: The mailing list or the servers that > send > the mail for the list do not add a DKIM header, only some of the member > mail > server do add a DKIM header. > > Because a mailing list software alters some headers, like the subject, > such > headers should not be used in DKIM, it leads to a failed verification. > Mails, > which fail a DKIM verification can only be discarded safely, when the > _adsp > record of the sender says dkim=discardable in all other cases, the mail > should > get delivered, see under [1]. > > This DKIM issue can only be addressed from your admin to take into > account, > that mailing list software do exist, are used and aren't 100% compatible > with > DKIM, and as well that some admins configure DKIM in a bad way for mailing > lists. > > That means upon receiving a mail: Do not decide to never discard mails > having > a failed DKIM verification, give them a higher SPAM score instead. > Decrease > the SPAM score for mails having a List-... header (resp. use the > corresponding > test from spamassassin, if applicable). > > Furthermore your admin should change your DKIM record not to contain the > subject, content-type and mime-version, which helps to verify a DKIM > successfully even if the mail was altered by a mailing list software. > > Regards, Adrian. > > [1] https://dkim.org/specs/draft-ietf-dkim-ssp-04.html > > In der Nachricht vom Tuesday, 12 December 2023 14:50:17 CET steht: > > Emails that I receive from tuxfamily.org for this group are being > blocked by > > my organization, reportedly for security because of a failed DKIM lookup. > > My sysadmin indicated that the DKIM in DNS would need to be fixed. I > tried > > sending an email to the tuxfamily.org admin a while back but got no > > response. I probably won't receive the responses to this if you respond > to > > the group. Perhaps you can reply to me directly. I do apologize for this > > being off topic. I'd like to continue receiving these emails but can't if > > this DKIM issue isn't addressed. If any of you are able to look into > this, > > it would be greatly appreciated. Thanks. Happy Holidays! > > > > > Joe Smith > > > > Senior Software Engineer > > > > Phoenix Defense > > > > 200 East Palm Valley Drive | Suite 2000 | Oviedo, Florida 32765 > > 800-RIPTIDE > > > > joe.s[email protected] > > > > > > This email and any attachments to it are intended only for the identified > > recipients. It may contain proprietary or otherwise legally protected > > information of Phoenix Defense. > > > Any unauthorized use or disclosure of this communication is strictly > > prohibited. If you have received this communication in error, please > notify > > the sender and delete or otherwise destroy the email and all attachments > > immediately. > > > [cid:4d3eb688-9459-4092-9b00-510a3454416b] > > [cid:cefb756f-b8c3-47f6-8ceb-65f9b1e2c569] > > > -- > -°) > ~~~~~~~~~~~~(_^/~~~~ > > Adrian Zaugg > Zweierstrasse 56 > CH-8004 Zürich > > 044 291 02 38 > ____________________ > > > (This eMail gets best displayed > using a monospace font.) > > # Retrieve my public GPG key: > gpg --locate-external-keys [email protected] > >
