[opendmarc-users] On opendmarc-users at trusteddomain.org

[Juri Haberland]

On 14/06/2019 13:03, Дилян Палаузов wrote:
> Hello,
> 
> this week I received answers from juri at sapienti-sat.org over opendmarc-users at trusteddomain.org, but the questions from 
> lefty at spes.gr were rejected due faild DMARC validations.
> 
> As a matter of fact, all mails contain:
> 
> DKIM-Filter: OpenDKIM Filter v2.10.2 medusa.blackops.org x5DLIawD066933
> 
> and the develop branch of OpenDKIM is known to fix problems, that are still present in OpenDKIM 2.10.3 (e.g. wrong
> relaxed canonicalization of headers, that have new line immediately after the colon).
> 
> As a matter of fact, the mailing list manager inserts the header:
> 
> Authentication-Results: medusa.blackops.org;
>         dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=spes.gr header.i=@spes.gr
> header.b=JuP1fun8; dkim-atps=neutral
> 
> and keeps the RFC5822.From: From: Lefteris Tsintjelis <lefty at spes.gr> header.  The DMARC policy for spes.gr is Reject. 
> Once the email is sent over alternative IP address it is only logical that this email will not reach the subscribers of
> this mailing list, which have deployed OpenDMARC.

The Problem is not the version of OpenDKIM at medusa.blackops.org. It is
the list manager (Mailman) that rewrites the Subject header and adds a
footer to the body. This invalidates the DKIM signature. And yes, this is
exactly the problem where DMARC currently has and why the ARC protocol is
currently in development. Best action a list curently can do is either to
stop altering Subject and/or body or to rewrite the From to take ownership
of the message.

Another possibility is to add a patch
(https://sourceforge.net/p/opendmarc/tickets/180/) to OpenDMARC that gives
you the possibility to whitelist mails from list servers that are known to
invalidate the DKIM signature (that's what I do).


Cheers,
  Juri