* Re: [dts] DMARC mitigation in dpdk.org's mailing list
[not found] <DM4PR12MB5167367CB92A841E3E9B5B8ADAA39@DM4PR12MB5167.namprd12.prod.outlook.com>
@ 2021-11-08 14:05 ` Ali Alnubani
0 siblings, 0 replies; only message in thread
From: Ali Alnubani @ 2021-11-08 14:05 UTC (permalink / raw)
To: announce, stable, dts, ci, govboard, maintainers, marketing,
security, moving
Cc: techboard
Hi all,
> -----Original Message-----
> From: Ali Alnubani
> Sent: Thursday, September 23, 2021 12:15 PM
> To: announce@dpdk.org; users@dpdk.org; web@dpdk.org
> Subject: DMARC mitigation in dpdk.org's mailing list
>
> Hi all,
>
> Due to the changes that Mailman (our mailing list software) does to posts
> before distributing them, DKIM and DMARC verification will fail for emails
> originating from the domains that support them. This causes some posts to
> go into spam/quarantine and sometimes completely discarded depending on
> the domain's policy.
>
> DKIM (DomainKeys Identified Mail) is a form of email authentication that
> uses public key cryptography to digitally sign outgoing emails. Senders add
> this signature to the headers of the email message for the receiving mail
> servers to validate against. The sender specifies which of the original headers
> is covered by this signature.
> DMARC (Domain-based Message Authentication, Reporting, and
> Conformance) basically allows domains to publish policies that tell receiving
> mail servers how to handle DKIM verification failures. Strict policies can be
> set to either reject (message not delivered to user's mailbox), or quarantine
> (spam/junk) the messages failing them.
>
> I would like to propose making some mailing list configuration changes to
> mitigate and reduce signature breakage:
> - Disable prepending subject prefixes (e.g., [dpdk-dev]).
> Making this change will probably break the rules and filters list members
> have for their mailboxes if they filter by the subject prefix.
> Members can filter by Mailman's List-Id header instead, or by the To/Cc
> headers.
> - Disable rewriting the "Sender" header.
> Mailman replaces this header by default with the list's bounce address to
> direct bounces from some broken MTAs to the right destination.
> - Disable conversion of text/html to plain text.
> Mailman currently strips MIME attachments and does text/html to plain text
> conversion.
>
> We experimented for a while with these changes in a test list we created
> (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped
> in mitigating signature breakage.
> We tested with signed emails from the domains: nvidia.com, broadcom.com,
> and gmail.com. We verified that posts on the test list showed passing
> DKIM/DMARC results in their 'Authentication-Results' header.
>
> We plan on making these changes to users@dpdk.org and web@dpdk.org
> first, and then to the rest of the lists once we make sure there are no
> unexpected issues.
>
I'm seeing less DKIM and DMARC breakage from users@dpdk.org and web@dpdk.org after making the changes mentioned above.
I had a discussion with the technical board, and they approved making the changes to the rest of the lists. We'll apply the change in 2 days.
Feedback is still appreciated.
Thanks,
Ali
^ permalink raw reply [flat|nested] only message in thread