[OpenStack-Infra] Possible problem with ML handling of DKIM signatures?

Neil Jerram Neil.Jerram at metaswitch.com
Fri Apr 1 10:03:36 UTC 2016 

Carl Baldwin alerted me to the fact that my recent ML emails are going 
into his (Gmail) Spam folder.  When he looks at one of those emails, his phone's GMail client says:

"Why is this message in Spam? It's from an address in the metaswitch.com 
domain but has failed metaswitch.com's required tests for authentication."

I asked my company's email system folk, and they said:

"... the message is correctly routing through [our outgoing SMTP] Office 
365 and its headers are being signed. This is therefore likely to be a 
problem with whatever mailing list software is being used for the 
OpenStack mailing list that means it doesn't interoperate correctly with 
DMARC policies in general. 
https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F 
gives some more explanation on what the mailing list operator needs to 
do in order to fix their mailing list. Is this something you're able to 
take up with them, please?

"(By way of background, DKIM involves using a private key to sign email 
headers so they can be verified against a public key by recipients to 
ensure the message hasn't been tampered with, and SPF involves 
publishing publically-accessible records of which email servers are 
allowed to originate messages from particular sender domains. DMARC 
builds on this by enforcing policies that say all messages from a 
particular domain *must* pass either SPF or DKIM checks, otherwise they 
aren't authentic and should be discarded. We've put these policies into 
place in the last month in order to block phishing emails that spoof 
@metaswitch.com sender addresses. Mailing list software needs to be set 
up in an appropriate way in order not to fall foul of these policies.)"

I also looked at the source of an email that I've recently received from 
Carl via the ML, and found that it includes a "X-DkimResult-Test: 
Failed" header.

Therefore my guess is that ML handling might inadvertently be changing 
some of the headers that are covered by the DKIM signature.  Does that 
sound correct, and if so is it something that could or should be fixed?

Thanks,
	Neil

More information about the OpenStack-Infra mailing list