Dovecot mailing list and DKIM
Hello everybody,
Going through my mail logs I noticed that a couple of messages from the Dovecot mailing list failed DKIM validation.
For example, this one has failed: https://markmail.org/message/te7tycmpiutw4kia
'opendkim-testkey' shows that the key is OK.
The messages in the example comes from yahoo.com, however other messages from yahoo.com, ones that are not sent through the mailing list, are properly validated. The failure is not specific to yahoo.com since a couple of other messages from other domains, sent though the mailing list, also failed DKIM validation.
However, the vast majority of the messages from the list properly pass DKIM validation.
From what I have read, mailing lists in general do not play very well with DKIM or SPF and the Dovecot mailing list also had some issues with this in the past.
With the Dovecot mailing list, I am a bit curious about why the vast majority of the messages from the list pass DKIM validation while a couple of them fail.
Does the Dovecot mailing list software alter the message in a way that causes the failure? Or is there something else going on?
Any thoughts?
Cheers.
On 2021-06-19 16:21, Kevin N. wrote:
Any thoughts?
ARC-Authentication-Results: i=1; talvi.dovecot.org; dkim=pass header.d=notscheduled.eu header.s=vdsce95c9 header.b=lTA5iJYj; spf=pass (talvi.dovecot.org: domain of kevin@notscheduled.eu designates 185.125.111.71 as permitted sender) smtp.mailfrom=kevin@notscheduled.eu
what is the problem for yahoo ?
No yahoo specific problem, as I stated in my previous post. An yes, my DKIM record validates successfully.
But there are a couple of messages sent from other users, through the Dovecot mailing list, that fail DKIM validation, like the one in the example link.
I am just curious why do the vast majority pass while some fail, even if they do have proper DKIM records :) .
Cheers.
On 20/06/2021 00:01, Benny Pedersen wrote:
On 2021-06-19 16:21, Kevin N. wrote:
Any thoughts?
ARC-Authentication-Results: i=1; talvi.dovecot.org; dkim=pass header.d=notscheduled.eu header.s=vdsce95c9 header.b=lTA5iJYj; spf=pass (talvi.dovecot.org: domain of kevin@notscheduled.eu designates 185.125.111.71 as permitted sender) smtp.mailfrom=kevin@notscheduled.eu
what is the problem for yahoo ?
On 2021-06-19 23:57, Kevin N. wrote:
No yahoo specific problem, as I stated in my previous post. An yes, my DKIM record validates successfully.
But there are a couple of messages sent from other users, through the Dovecot mailing list, that fail DKIM validation, like the one in the example link.
I am just curious why do the vast majority pass while some fail, even if they do have proper DKIM records :) .
if ARC specifikation tells more about C= tag in dkim, it would be more easy to see if its just that, relaxed is more simple to make dkim pass with then simple is, there might be alot of other problems giving random pass or fails, i just say its not possible to garenti that mail in transfer on public maillists or stupid sendgrid forwards with phishing netflix emails, it can only be trusted if ARC is done on any forwarders
i am glad i do not use any milters currently since gentoo have disabled milter support in postfix
so currently i am happy with fuglu :=)
I never used FuGlu before. I'll take a look at it :)
On 20/06/2021 02:38, Benny Pedersen wrote:
On 2021-06-19 23:57, Kevin N. wrote:
No yahoo specific problem, as I stated in my previous post. An yes, my DKIM record validates successfully.
But there are a couple of messages sent from other users, through the Dovecot mailing list, that fail DKIM validation, like the one in the example link.
I am just curious why do the vast majority pass while some fail, even if they do have proper DKIM records :) .
if ARC specifikation tells more about C= tag in dkim, it would be more easy to see if its just that, relaxed is more simple to make dkim pass with then simple is, there might be alot of other problems giving random pass or fails, i just say its not possible to garenti that mail in transfer on public maillists or stupid sendgrid forwards with phishing netflix emails, it can only be trusted if ARC is done on any forwarders
i am glad i do not use any milters currently since gentoo have disabled milter support in postfix
so currently i am happy with fuglu :=)
Am 19.06.21 um 16:21 schrieb Kevin N.:
Going through my mail logs I noticed that a couple of messages from the Dovecot mailing list failed DKIM validation.
For example, this one has failed: https://markmail.org/message/te7tycmpiutw4kia
dovecot.org use mailman-2.1.15 which is "a little bit (~9 years)" behind latest 2.1.34 Older version of mailman are know to modify some messages which break DKIM.
That may be the reason for your observation.
BTW: the ARC-Seal added by dovecot.org is invalid here, too
Andreas
Oh, I see. Thanks for the clarification Andreas.
On 20/06/2021 00:58, A. Schulze wrote:
Am 19.06.21 um 16:21 schrieb Kevin N.:
Going through my mail logs I noticed that a couple of messages from the Dovecot mailing list failed DKIM validation.
For example, this one has failed: https://markmail.org/message/te7tycmpiutw4kia
dovecot.org use mailman-2.1.15 which is "a little bit (~9 years)" behind latest 2.1.34 Older version of mailman are know to modify some messages which break DKIM.
That may be the reason for your observation.
BTW: the ARC-Seal added by dovecot.org is invalid here, too
Andreas
On 20/06/2021 00:58 A. Schulze sca@andreasschulze.de wrote:
Am 19.06.21 um 16:21 schrieb Kevin N.:
Going through my mail logs I noticed that a couple of messages from the Dovecot mailing list failed DKIM validation.
For example, this one has failed: https://markmail.org/message/te7tycmpiutw4kia
dovecot.org use mailman-2.1.15 which is "a little bit (~9 years)" behind latest 2.1.34 Older version of mailman are know to modify some messages which break DKIM.
That may be the reason for your observation.
BTW: the ARC-Seal added by dovecot.org is invalid here, too
Andreas
Can you give any more insight on why it's invalid? Last time I checked the ARC-Seal was fine.
Aki
Am 28.06.21 um 07:40 schrieb Aki Tuomi:
BTW: the ARC-Seal added by dovecot.org is invalid here, too
Andreas
Can you give any more insight on why it's invalid? Last time I checked the ARC-Seal was fine.
well, my dovecot folder with 30k messages (8 years) contain ~4k messages validated with different versions of openarc over the time. Most pass while 400 message are marked with arc=fail
A nice doveadm voodoo to extract these 400 would allow deep inspection :-)
Andreas
participants (4)
-
A. Schulze
-
Aki Tuomi
-
Benny Pedersen
-
Kevin N.