[ietf-dkim] Why mailing lists should strip DKIM signatures
dhc at dcrocker.net
Fri Apr 23 07:19:41 PDT 2010
On 4/22/2010 9:34 PM, John Levine wrote:
> For anyone who's working on the list management BCP:
> I sign all my outgoing mail, and I have a feedback loop set up with
> Yahoo, which being very modern and advanced keys on signatures, not IP
> addresses. A few days ago I sent some messages to one of the Freebsd
> mailing lists. Today some Yahoo user who subscribes to that list hit
> the spam button. Freebsd's list software (Mailman, I think) doesn't
> sign, and doesn't strip any headers. So what happened? Yahoo saw my
> signature and sent the reports to me, which was of course useless
> since I don't run the list.
> This is not a hypothetical problem--all of my recent Yahoo FBL reports
If I understand correctly, you established a private arrangement with Yahoo.
Yahoo chooses to create a unique interpretation for the presence of a DKIM
signature, which treats it as an override to the MailFrom. And from this, you
are asserting a new, general rule about DKIM handling?
On 4/23/2010 6:38 AM, John R. Levine wrote:
>> Would this still be an issue if the lists were signing the outbound mail?
>> You'd hope that Yahoo would then send the feedback reports to the list owner.
> Probably not. It depends if the list owner has an FBL of their own, which
> small senders generally don't.
You are extrapolating without any data.
The problem here is that Yahoo has added some deep semantics to a DKIM signature
and probably has not even documented or discussed it properly.
Is there some reason not to first discuss this with Yahoo?
More information about the ietf-dkim