Jayson Smith writes:
> I'm having trouble with one of my lists. CenturyTel is bouncing mail
> from one specific AOL user. The Mailman munge from is working as
> expected, and I even tried configuring mm_cfg.py to strip incoming DKIM
> signatures. However, as you'll see, CenturyTel is still complaining of a
> bad DKIM signature. No one else is.
Have you checked if everyone is seeing the email (see below)?
> The incoming mail seems to include a DKIM signature as a
> nonstandard header, maybe CenturyTel knows to look for this, and is
> throwing a fit when it fails to verify?
The X-SONIC-DKIM-SIGN field is just an unknown field as far as a
properly implemented MTA is concerned. Theoretically CenturyTel is
upset about that, but there's a much simpler explanation: failed DMARC
>From alignment (to use the technical term), which is what I suspect
"Failed DKIM Authentication" means.
AOL publishes a DMARC p=reject policy, which means that a recipient
must reject (return to sender) or discard the email (without notifying
the sender) if From alignment fails. (This cannot be enforced.
Gmail, for example, usually puts these in the spam folder rather than
rejecting them.) From alignment means that the domain of the email in
the From header matches the domain in the d= field of at least one
valid DKIM-Signature in the header.
In the case of the header you appended, there is one valid DKIM
signature, it is the one very near the top of the header, and it has
d=bluegrasspals.com. The domain of the From address is aol.com, so
they are not aligned, and conforming MTAs will reject. Almost all
non-conforming MTAs that implement DMARC will quarantine the email,
usually in the spam folder.
So as far as I can tell, CenturyTel is a conforming implementation,
and behaving correctly given the header you posted. I suspect the
reason that you're not hearing complaints from other MTAs is that
they're all discarding the email with extreme prejudice.
I guess that X-SONIC-DKIM-SIGN was originally a valid DKIM-Signature
header. By the time it got to sonic302.consmr.mail.bf2.yahoo.com,
either the message was corrupt (so DKIM validation failed) or sonic302
recognized that DMARC From alignment was sure to fail, and so "fixed
up" the header (perhaps for debugging purposes).
So, this user's emails are going to be discarded by a large minority,
if not the vast majority, of sites because they're using an AOL
address in From and sending via Yahoo!:
Received: by kubenode547.mail-prod1.omega.ne1.yahoo.com (VZM Hermes SMTP
Server) with ESMTPA ID 754de18d9b1eebb7367c2043d8067b87;
Tue, 15 Jun 2021 10:21:22 +0000 (UTC)
Tell them to stop doing that.
Although I recognize that's often easier said than done,
unfortunately, that's where my advice ends (I live in Japan, so
mercifully never have to deal with the goat rodeo that is
Verizon/Yahoo/AOL). Perhaps somebody else can take it from here and
explain how your poor AOL user can get their mail through.
Of course, their best course of action is to switch to Gmail or some
other competent provider, but users often resist that.
Steve
------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
https://mail.python.org/archives/list/mailman-users@python.org/
