OT: DKIM signatures on email messages from lists.gnupg.org

Alexander Leidinger Alexander at leidinger.net
Mon Jun 12 13:05:51 CEST 2023


Quoting Alessandro Vesely via Gnupg-users <gnupg-users at gnupg.org>  
(from Mon, 12 Jun 2023 10:57:32 +0200):

> Hi,
>
> would someone please explain DKIM settings of lists.gnupg.org?

I'm not involved in gnupg.org administration, but it looks like there  
are none.

> Looking at recent posts, I counted 44 with a failed signature by  
> d=gnupg.org, 22 with no DKIM signature at all and none with a good  
> signature.

Can it be that those 44 are from real people which have a from-address  
@gnupg.org?

> I'm asking because there was a proposal to eliminate SPF from DMARC  
> authentication methods[*].  Opposers to such move note that in a  
> number of cases SPF succeeds where DKIM fails.  The discussion  
> concluded that it must be because of misconfiguration, since most  
> in-transit alterations were eliminated.  As people on this list is  
> certainly acknowledgeable,  I though I'd dare asking where does such  
> misconfiguration stem from.

Your mail to the list had a DKIM signature from tana.it (your DKIM  
signature). It specifies that in the header the date, to, from and  
subject lines are subject to validation. The From was re-written be  
the list and as such the header check fails. The body check fails as  
the list adds the following:

---snip---
_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
---snip---

What the list-software would need to do is to strip the original DKIM  
signature (and maybe sign itself, but there are drawbacks), or to not  
modify the message (at least not the designated header lines, and the  
body). More info here:
     https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html

For mailman there is some info here what could/should be done:
     https://wiki.list.org/DEV/DKIM
     https://wiki.list.org/DEV/DMARC

For listserv there is some info here what could/should be done:
      
https://www.lsoft.com/manuals/17.0/advancedtopics/Section12UsingDomainKeysIdentifi.html
      
https://www.lsoft.com/manuals/17.0/advancedtopics/Section13DMARCandLISTSERV.html

There is also ARC (which you should see in the headers of my mail):
     https://en.wikipedia.org/wiki/Authenticated_Received_Chain

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20230612/bcc2a0ca/attachment.sig>


More information about the Gnupg-users mailing list