DMARC problems with some emails from the list
Hello,
I'm having problems with some emails from the list, been classified as SPAM in my system because of DMARC failures. I'm not sure but this may be a problem with the list configuration.
I attach the log for the failures in the last week.-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337
On 08.03.21 07:43, Ángel L. Mateo wrote:
Hello,
I'm having problems with some emails from the list, been classified as SPAM in my system because of DMARC failures. I'm not sure but this may be a problem with the list configuration.
I attach the log for the failures in the last week.
I have looked at some of the mails that you flagged as problematic and yes, those mails failed the DKIM check, even though this list seams to work without invalidating DKIM signatures.
The problem of these specific mails is the fact, that they sign one or more of the following headers:
- Reply-To
- Sender
- List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
Of course these headers *will* be altered by most list software out there, so the senders have to change the way they sign their mails.
Your only option is to either trust the ARC-headers or to whitelist all amil from this mailing list.
Cheers, Juri
On 2021-03-08 10:34, Juri Haberland wrote:
I have looked at some of the mails that you flagged as problematic and yes, those mails failed the DKIM check, even though this list seams to work without invalidating DKIM signatures.
checked your dkim signing, it have signed 2 Date headers, 2 From, 2 Subject, solve this :=)
and you have simple in C= tag, please check double signed headers
it does not dkim pass in perl Mail::DKIM test in spamassassin
The problem of these specific mails is the fact, that they sign one or more of the following headers:
- Reply-To
- Sender
- List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
this comes from dkim signing ALL mails not just ORIGINATED emails, maillist should really stop sign emails, and only do the ARC sealing and ARC sign it
if maillist send ORIGINNATING emails it should be signed as dkim and not ARC sealed
its common sense imho
too many headers signed makes dkim break
Of course these headers *will* be altered by most list software out there, so the senders have to change the way they sign their mails.
altering will happend hopefully AFTER ARC sealing, so it still can be verify from ARC that the originated email did pass or fail in someway, in that case it works as designed
Your only option is to either trust the ARC-headers or to whitelist all amil from this mailing list.
tell dmarc to not test maillists, but it should pass so no need
On 08.03.21 11:38, Benny Pedersen wrote:
On 2021-03-08 10:34, Juri Haberland wrote:
checked your dkim signing, it have signed 2 Date headers, 2 From, 2 Subject, solve this :=)
Benny, it's not about *my* DKIM signature. And it is perfectly legal and has a special purpose to double sign some headers, called oversigning.
and you have simple in C= tag, please check double signed headers
it does not dkim pass in perl Mail::DKIM test in spamassassin
If my signature didn't verify at your end, then it might be a problem at your end as my DKIM signature verified at the mailing list host (as you can see from from the ARC-Authentication-Results header and it still verified at my host when it came back from the list (both Spamassassin and OpenDKIM). OTOH if more people have problems with my DKIM signature then I'd like to hear that.
The problem of these specific mails is the fact, that they sign one or more of the following headers:
- Reply-To
- Sender
- List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
this comes from dkim signing ALL mails not just ORIGINATED emails, maillist should really stop sign emails, and only do the ARC sealing and ARC sign it
This has nothing to do with it! The problem arises at the OP's end...
if maillist send ORIGINNATING emails it should be signed as dkim and not ARC sealed
its common sense imho
too many headers signed makes dkim break
Yes, that is the problem here, but that cannot be fixed by the people running the ML, only be the original authors, as it concerns the DKIM signatures of the original authors.
Of course these headers *will* be altered by most list software out there, so the senders have to change the way they sign their mails.
altering will happend hopefully AFTER ARC sealing, so it still can be verify from ARC that the originated email did pass or fail in someway, in that case it works as designed
IMHO altering/adding those headers will happen *before* ARC signing or else the ARC signature will break immediately and will be useless...
Your only option is to either trust the ARC-headers or to whitelist all amil from this mailing list.
tell dmarc to not test maillists, but it should pass so no need
???
Regards, Juri
On 2021-03-08 13:21, Juri Haberland wrote:
On 08.03.21 11:38, Benny Pedersen wrote:
On 2021-03-08 10:34, Juri Haberland wrote:
checked your dkim signing, it have signed 2 Date headers, 2 From, 2 Subject, solve this :=)
Benny, it's not about *my* DKIM signature. And it is perfectly legal and has a special purpose to double sign some headers, called oversigning.
h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature;
double header signing
on top of that C= with simple
it could be a bug in perl Mail::DKIM, but so far spamassassin give dkim invalid
eof my help with it
On 2021-03-08 07:43, Ángel L. Mateo wrote:
I'm having problems with some emails from the list, been classified as SPAM in my system because of DMARC failures. I'm not sure but this may be a problem with the list configuration.
what state of dkim is c= tag ?, if it contains simple, its not that simple since its more strong then relaxed
if thats the case, it could be that 8bitmime is not being disabled before dkim signing :(
reference from amavisd dkim howto
is your dmarc test doing ARC test ?
I attach the log for the failures in the last week.
does not help me helping you
El 8/3/21 a las 11:20, Benny Pedersen escribió:
On 2021-03-08 07:43, Ángel L. Mateo wrote:
I'm having problems with some emails from the list, been classified as SPAM in my system because of DMARC failures. I'm not sure but this may be a problem with the list configuration.
what state of dkim is c= tag ?, if it contains simple, its not that simple since its more strong then relaxed
if thats the case, it could be that 8bitmime is not being disabled before dkim signing :(
reference from amavisd dkim howto
is your dmarc test doing ARC test ?
I don't know the exact details of the antispam configuration. But I have asked and the administrator told me that we are not doing ARC tests. He told me that the emails are marked as spam because of dkim failures.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868889150 Fax: 868888337
On 2021-03-09 07:55, Ángel L. Mateo wrote:
I don't know the exact details of the antispam configuration. But I have asked and the administrator told me that we are not doing ARC tests. He told me that the emails are marked as spam because of dkim failures.
ARC test can be skipped if ORIGINATING dkim signed DKIM signature gives PASS
your mail here gives DKIM PASS in perl Mail::DKIM
but
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=dovecot.org; s=arc; t=1615272934; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature;
is with double headers sign in ARC :(
is owners listen here ?
On 09.03.21 17:00, Benny Pedersen wrote:
ARC test can be skipped if ORIGINATING dkim signed DKIM signature gives PASS
your mail here gives DKIM PASS in perl Mail::DKIM
but
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=dovecot.org; s=arc; t=1615272934; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature;
is with double headers sign in ARC :(
is owners listen here ?
Again, there is and should be no problem with double header signing. And even if there would be a problem with it, the ARC-Message-Signature will be ignored by 99% of mail handling applications...
I really don't get your point and it seems to me you didn't understand the OP's problem.
Cheers, Juri
participants (3)
-
Benny Pedersen
-
Juri Haberland
-
Ángel L. Mateo