[Buildroot] DMARC on this mailing list

[Buildroot] DMARC on this mailing list

[Danilo Bargen]

Hello folks

I recently enabled report-only DMARC on my e-mail domain. After sending
a few e-mails to this ML yesterday, this resulted in multiple DMARC
would-be rejection e-mails.

DMARC relies on SPF (correct sender IP) *or* DKIM (correct signature). A
nice tool to visualize this is https://www.learndmarc.com/. If either
SPF or DKIM passes, the e-mail should be accepted.

In the case of mailing lists, the way I understand it, there are two
options:

- Rewrite the "From:" header so that the e-mail appears to be coming
  from the ML itself. Put the original sender e-mail in the "Reply-To"
  header instead. If this is not being done, the sender IP (the mailing
  list) does not match the sender e-mail domain and SPF fails. Note
  that this *might* impact the buildroot ML reputation for some big
  mailservers.
- Expect that mail servers with DMARC enabled also have DKIM enabled,
  and ensure that the e-mail body is not modified (i.e. turn off the
  automatically inserted footer). Put mailing list unsubscribe links
  in the headers instead. This way, even though the sender IP does not
  match, the signature should still be intact.

These approaches are described in the following blog post I found
online: https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html

I don't know if mailman allows turning off body modifications (i.e.
RFC2369 and RFC2919), but it definitely allows "From"-munging:
https://wiki.list.org/DEV/DMARC

I'm still quite new to this mailing list and don't want to put out any
demands, but I wanted to bring up this issue, since it will probably be
more and more of an issue in the future (DMARC adoption is increasing).

Cheers,
Danilo
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] DMARC on this mailing list

[Baruch Siach via buildroot]

Hi Danilo,

On Mon, Jan 17 2022, Danilo Bargen wrote:
> I recently enabled report-only DMARC on my e-mail domain. After sending
> a few e-mails to this ML yesterday, this resulted in multiple DMARC
> would-be rejection e-mails.
>
> DMARC relies on SPF (correct sender IP) *or* DKIM (correct signature). A
> nice tool to visualize this is https://www.learndmarc.com/. If either
> SPF or DKIM passes, the e-mail should be accepted.
>
> In the case of mailing lists, the way I understand it, there are two
> options:
>
> - Rewrite the "From:" header so that the e-mail appears to be coming
>   from the ML itself. Put the original sender e-mail in the "Reply-To"
>   header instead. If this is not being done, the sender IP (the mailing
>   list) does not match the sender e-mail domain and SPF fails. Note
>   that this *might* impact the buildroot ML reputation for some big
>   mailservers.
> - Expect that mail servers with DMARC enabled also have DKIM enabled,
>   and ensure that the e-mail body is not modified (i.e. turn off the
>   automatically inserted footer). Put mailing list unsubscribe links
>   in the headers instead. This way, even though the sender IP does not
>   match, the signature should still be intact.
>
> These approaches are described in the following blog post I found
> online: https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html
>
> I don't know if mailman allows turning off body modifications (i.e.
> RFC2369 and RFC2919), but it definitely allows "From"-munging:
> https://wiki.list.org/DEV/DMARC
>
> I'm still quite new to this mailing list and don't want to put out any
> demands, but I wanted to bring up this issue, since it will probably be
> more and more of an issue in the future (DMARC adoption is increasing).

I can't comment for the owners of the Buildroot list. But you might find
this recent discussion from the linux-arm-kernel list interesting:

  https://lore.kernel.org/linux-arm-kernel/202110211313.B5C5C61@keescook/

In this thread David Woodhouse describes the lists.infradead.org setup
rationale.

baruch

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] DMARC on this mailing list

[Yann E. MORIN]

Danilo, All,

On 2022-01-17 10:50 +0100, Danilo Bargen spake thusly:
> I recently enabled report-only DMARC on my e-mail domain. After sending
> a few e-mails to this ML yesterday, this resulted in multiple DMARC
> would-be rejection e-mails.

DMARC has bitten us in the recent past (1.5 year or so...)

> DMARC relies on SPF (correct sender IP) *or* DKIM (correct signature). A
> nice tool to visualize this is https://www.learndmarc.com/. If either
> SPF or DKIM passes, the e-mail should be accepted.
> 
> In the case of mailing lists, the way I understand it, there are two
> options:
> 
> - Rewrite the "From:" header so that the e-mail appears to be coming
>   from the ML itself. Put the original sender e-mail in the "Reply-To"
>   header instead. If this is not being done, the sender IP (the mailing
>   list) does not match the sender e-mail domain and SPF fails. Note
>   that this *might* impact the buildroot ML reputation for some big
>   mailservers.

This is exactly what is going on. You can check for example on the
archives:
    https://lore.kernel.org/buildroot/20220115101415.986123F41E@exit1-us.msgsafe.io/

> - Expect that mail servers with DMARC enabled also have DKIM enabled,
>   and ensure that the e-mail body is not modified (i.e. turn off the
>   automatically inserted footer). Put mailing list unsubscribe links
>   in the headers instead. This way, even though the sender IP does not
>   match, the signature should still be intact.
> 
> These approaches are described in the following blog post I found
> online: https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html
> 
> I don't know if mailman allows turning off body modifications (i.e.
> RFC2369 and RFC2919), but it definitely allows "From"-munging:
> https://wiki.list.org/DEV/DMARC

Yeah, this is what is being done on this list...

Regards,
Yann E. MORIN.

> I'm still quite new to this mailing list and don't want to put out any
> demands, but I wanted to bring up this issue, since it will probably be
> more and more of an issue in the future (DMARC adoption is increasing).
> 
> Cheers,
> Danilo
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] DMARC on this mailing list

[Danilo Bargen]

Hello Yann

>> - Rewrite the "From:" header so that the e-mail appears to be coming
>>    from the ML itself. Put the original sender e-mail in the "Reply-To"
>>    header instead. If this is not being done, the sender IP (the mailing
>>    list) does not match the sender e-mail domain and SPF fails. Note
>>    that this *might* impact the buildroot ML reputation for some big
>>    mailservers.
> 
> This is exactly what is going on. You can check for example on the
> archives:
>      https://lore.kernel.org/buildroot/20220115101415.986123F41E@exit1-us.msgsafe.io/

Strange, when I view your e-mail (coming from the ML, containing the 
"buildroot mailing list" footer) raw data, I still see your address in 
the "From"-Header, and not buildroot@buildroot.org:

   From: "Yann E. MORIN" <yann.morin.1998@free.fr>

The *sender* is set to Buildroot:

   Sender: "buildroot" <buildroot-bounces@buildroot.org>

...but DMARC evaluates the From-Header and not the Sender-Header, as far 
as I know.

Some mailservers that sent me DMARC failure reports after sending 
e-mails to the buildroot mailing list were:

- silica.com
- uni-bonn.de
- yahoo.com
- aol.com mail.ru

With a reject policy, my e-mail would have been dropped by those servers.

Danilo
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] DMARC on this mailing list

[Danilo Bargen]

> Strange, when I view your e-mail (coming from the ML, containing the 
> "buildroot mailing list" footer) raw data, I still see your address in 
> the "From"-Header, and not buildroot@buildroot.org:
> 
>    From: "Yann E. MORIN" <yann.morin.1998@free.fr>

The lore.kernel.org archive seems to confirm this, "From"-header is not 
rewritten:

https://lore.kernel.org/buildroot/20220117102450.GC2313964@scaer/

However, for the archive entry you sent, it does look correct, with a 
rewritten "From"-header:

https://lore.kernel.org/buildroot/20220115101415.986123F41E@exit1-us.msgsafe.io/

I'm not sure what the reason for the difference between these two 
e-mails is.

Danilo
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot