The Free Software Foundation is making changes to our GNU Mailman systems. This is a long email, so I want to mention up front that we plan to change the list settings of this list again in about 1 month unless a list administrator or moderator opts out. Read below for more information.
Messages sent from users with strict DMARC policy domains like yahoo.com are often being rejected when sent to list subscribers by Mailman. See the end of this email for a technical overview of DMARC and DKIM. There are two ways to fix the issue by changing Mailman list settings. The first option, and the preferable way for discussion lists, is what we call the "unmodified message fix." There are Mailman list settings which modify the messages by adding a subject prefix (e.g. [list-name]) or a footer. Modifying the message breaks DKIM message signatures and thus DMARC. Following this option, we would turn those settings off. Many lists are already this way and there is no change for them. Instead of using the subject prefix to identify a list, subscribers should use the "List-Id" header, To, and Cc. List footer information can also be be put in the welcome email to subscribers and the list information page by list administrators. Related to this, on June 7th, we upgraded the version Mailman that we run. This fixed a bug where we were breaking the DKIM signature of any reply message. The second option is for lists which want or need to continue to modify the message, for example with subject prefix or footer settings. We would enable a Mailman list setting called dmarc_moderation_action: "Munge From". With this setting, if a strict DMARC sender sends to the list, we alter the headers of that message like so: A message sent to the list: To: alist@listdomain From: Anne Example Person <exampleperson@examplepersonsdomain> Is modified my Mailman and sent to subscribers as: To: alist@listdomain From: Anne Example Person via Alist <alist@listdomain> Reply-To: Anne Example Person <exampleperson@examplepersonsdomain> Without going into all of the details, here's a few points about why we concluded the unmodified message fix is better for discussion lists. Email clients don't all treat munged messages the same way as unmunged, and humans read these headers so it can confuse people, causing messages not to be sent to the expected recipients. GNU Mailman has an option to do "Munge From" always, but does not recommend using it[1]. While we're not bound by what others do, it's worth noting that other very large free software communities like Debian GNU/Linux have adopted the unmodified message fix[2]. The unmodified messages fix avoids breaking DKIM cryptographic signatures, which show the message was authorized by the signing domain. Since this list appears to be a discussion list that adds subject prefixes or footers, "Munge From" has been turned on as an initially less disruptive fix, but we will change this lists settings to send unmodified messages in one month from now unless a list administrator/owner or moderator opts this list out of the change. This list does not have any administrators or moderators in the Mailman settings, so we are emailing the list directly. Sometimes people don't have their email listed in the settings because Mailman sends automated emails to whoever is listed as administrator or moderator and there is no way to opt out. We recommend filtering your email if you don't want those messages. If you have the administration password for a list, please log in and add an administrator or moderator email addresses at the top of the "General Options" section of the list administration interface. If no list administrators or moderators are around for this list, anyone should feel free to try to track them down or figure out who should become one and explain in detail by replying to sysad...@gnu.org. Please be patient, this process may take several weeks. To opt this list out, reply to sysad...@gnu.org, append "opt out" to the subject line, and send it from one of the list administrator or moderator email addresses. For any Mailman list administrator who wants to change or look over the relevant settings: The dmarc_moderation_action setting is under "Privacy Options" subsection "Sender Filters". The only options that should be selected are "Accept" or "Munge From", along with corresponding changes to the subject_prefix option under "General Options", and msg_footer is under "Non-digest options". Please send any questions that should be public to mail...@gnu.org. For private ones, just reply to sysad...@gnu.org. For the general announcement of these changes, please read https://lists.gnu.org/archive/html/savannah-hackers-public/2019-06/msg00018.html A short DMARC technical overview: DMARC policy is a DNS txt record at a _dmarc subdomain. For example: $ host -t txt _dmarc.yahoo.com _dmarc.yahoo.com descriptive text "v=DMARC1; p=reject; pct=100; rua=mailto:address@hidden;"; The only important thing there for our purpose is p=reject. p=reject means that conforming mail servers that receive mail with a from header of *@yahoo.com will reject that email unless it was either 1. sent from Yahoo's email servers, or 2. its DKIM signature is verified. A DKIM signature[5] is a public key cryptographic signature of the email body and some headers included in the message header "DKIM-Signature". A verified DKIM signature means that email body and signed headers have not been modified. Comprehensive resources about DMARC tend to downplay or ignore its problems, but some that have helped me are Wikipedia[6], the Mailman wiki[1], dmarc.org wiki[7], and the DMARC rfc[8]. [1]: https://wiki.list.org/DEV/DMARC [2]: https://lists.debian.org/debian-devel-announce/2015/08/msg00003.html [5]: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail [6]: https://en.wikipedia.org/wiki/DMARC [7]: https://dmarc.org/wiki/FAQ#senders [8]: https://tools.ietf.org/html/rfc7489 Ian Kelling | Senior Systems Administrator, Free Software Foundation GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF https://fsf.org | https://gnu.org