From: Ali Alnubani <alialnu@oss.nvidia.com>
To: "announce@dpdk.org" <announce@dpdk.org>,
"users@dpdk.org" <users@dpdk.org>, "web@dpdk.org" <web@dpdk.org>
Subject: [dpdk-dev] [dpdk-announce] DMARC mitigation in dpdk.org's mailing list
Date: Thu, 23 Sep 2021 09:15:06 +0000 [thread overview]
Message-ID: <DM4PR12MB5167367CB92A841E3E9B5B8ADAA39@DM4PR12MB5167.namprd12.prod.outlook.com> (raw)
Hi all,
Due to the changes that Mailman (our mailing list software) does to posts before distributing them, DKIM and DMARC verification will fail for emails originating from the domains that support them. This causes some posts to go into spam/quarantine and sometimes completely discarded depending on the domain's policy.
DKIM (DomainKeys Identified Mail) is a form of email authentication that uses public key cryptography to digitally sign outgoing emails. Senders add this signature to the headers of the email message for the receiving mail servers to validate against. The sender specifies which of the original headers is covered by this signature.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) basically allows domains to publish policies that tell receiving mail servers how to handle DKIM verification failures. Strict policies can be set to either reject (message not delivered to user's mailbox), or quarantine (spam/junk) the messages failing them.
I would like to propose making some mailing list configuration changes to mitigate and reduce signature breakage:
- Disable prepending subject prefixes (e.g., [dpdk-dev]).
Making this change will probably break the rules and filters list members have for their mailboxes if they filter by the subject prefix.
Members can filter by Mailman's List-Id header instead, or by the To/Cc headers.
- Disable rewriting the "Sender" header.
Mailman replaces this header by default with the list's bounce address to direct bounces from some broken MTAs to the right destination.
- Disable conversion of text/html to plain text.
Mailman currently strips MIME attachments and does text/html to plain text conversion.
We experimented for a while with these changes in a test list we created (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped in mitigating signature breakage.
We tested with signed emails from the domains: nvidia.com, broadcom.com, and gmail.com. We verified that posts on the test list showed passing DKIM/DMARC results in their 'Authentication-Results' header.
We plan on making these changes to users@dpdk.org and web@dpdk.org first, and then to the rest of the lists once we make sure there are no unexpected issues.
Any feedback will be appreciated.
Thanks,
Ali
next reply other threads:[~2021-09-23 12:19 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-23 9:15 Ali Alnubani [this message]
[not found] ` <SJ0PR11MB567875CF109284B0A46C9381DFA39@SJ0PR11MB5678.namprd11.prod.outlook.com>
2021-09-24 10:32 ` [dpdk-dev] [dpdk-web] " Thomas Monjalon
2021-09-24 13:06 ` Ali Alnubani
2021-11-08 14:05 ` [dpdk-dev] [dpdk-announce] " Ali Alnubani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DM4PR12MB5167367CB92A841E3E9B5B8ADAA39@DM4PR12MB5167.namprd12.prod.outlook.com \
--to=alialnu@oss.nvidia.com \
--cc=announce@dpdk.org \
--cc=users@dpdk.org \
--cc=web@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).