Am 22.02.2024 um 15:14 schrieb Jeffrey Dafoe:
Gmail is rejecting emails after we moved the servers without telling us why, in
enough detail to do anything about it.
It's not just gmail.
I guess it's because of a wrong setting in the mailinglist server.
The content of the original email is changed (the subject is prepended
by "[PHP-DEV]"), which breaks the original DKIM signature by the sender.
A new DKIM-signature is added by php.net, but it's not aligned to the
From:-header domain (which is still the original sender).
So the email doesn't have a valid ALIGNED DKIM signature.
SPF is valid for the envelope from, but is not aligned to the From:-header.
The result is:
There is no aligned SPF nor aligned DKIM, which results in a dmarc=fail.
Providers which honor DMARC will quarantine or reject these
unauthorized/forged emails.
There are 2 solutions:
1. Don't change the content or the DKIM-signed headers of the email (do
not prepend something in the subject). Then the original DKIM signature
stays valid and the From:-header can stay untouched
2. If you change the the email and break the original DKIM signature,
also change the From:-header to a domain which matches the new DKIM
signature, in this case set the From:-header to internals@lists.php.net.
This is called "munging" in mailinglist software.
Michael
