Re: [dpdk-dev] [dpdk-announce] DMARC mitigation in dpdk.org's mailing list

[Ali Alnubani <alialnu@nvidia.com>]

Hi all,

> -----Original Message-----
> From: Ali Alnubani
> Sent: Thursday, September 23, 2021 12:15 PM
> To: announce@dpdk.org; users@dpdk.org; web@dpdk.org
> Subject: DMARC mitigation in dpdk.org's mailing list
> 
> Hi all,
> 
> Due to the changes that Mailman (our mailing list software) does to posts
> before distributing them, DKIM and DMARC verification will fail for emails
> originating from the domains that support them. This causes some posts to
> go into spam/quarantine and sometimes completely discarded depending on
> the domain's policy.
> 
> DKIM (DomainKeys Identified Mail) is a form of email authentication that
> uses public key cryptography to digitally sign outgoing emails. Senders add
> this signature to the headers of the email message for the receiving mail
> servers to validate against. The sender specifies which of the original headers
> is covered by this signature.
> DMARC (Domain-based Message Authentication, Reporting, and
> Conformance) basically allows domains to publish policies that tell receiving
> mail servers how to handle DKIM verification failures. Strict policies can be
> set to either reject (message not delivered to user's mailbox), or quarantine
> (spam/junk) the messages failing them.
> 
> I would like to propose making some mailing list configuration changes to
> mitigate and reduce signature breakage:
> - Disable prepending subject prefixes (e.g., [dpdk-dev]).
>   Making this change will probably break the rules and filters list members
> have for their mailboxes if they filter by the subject prefix.
>   Members can filter by Mailman's List-Id header instead, or by the To/Cc
> headers.
> - Disable rewriting the "Sender" header.
>   Mailman replaces this header by default with the list's bounce address to
> direct bounces from some broken MTAs to the right destination.
> - Disable conversion of text/html to plain text.
>   Mailman currently strips MIME attachments and does text/html to plain text
> conversion.
> 
> We experimented for a while with these changes in a test list we created
> (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped
> in mitigating signature breakage.
> We tested with signed emails from the domains: nvidia.com, broadcom.com,
> and gmail.com. We verified that posts on the test list showed passing
> DKIM/DMARC results in their 'Authentication-Results' header.
> 
> We plan on making these changes to users@dpdk.org and web@dpdk.org
> first, and then to the rest of the lists once we make sure there are no
> unexpected issues.
> 

I'm seeing less DKIM and DMARC breakage from users@dpdk.org and web@dpdk.org after making the changes mentioned above.
I had a discussion with the technical board, and they approved making the changes to the rest of the lists. We'll apply the change in 2 days.

Feedback is still appreciated.

Thanks,
Ali