Re: [mailop] Email System Testing Methodologies?

[Jesse Hathaway via mailop]

Thanks everyone for the suggestions, here is my summary of responses:

Configuration Checkers:

  Web Based

1. mxtoolbox.com
2. gmail -> view source

  CLI

1. mailsec-check, https://github.com/foxcpp/mailsec-check

Email Echo Testers:

1. check-a...@verifier.port25.com
2. https://www.mail-tester.com
3. e...@univie.ac.at
4. p...@stamper.itconsult.co.uk

I was also hoping for some testing methodologies which could be used in
a private staging or development environment, but none of those
materialized.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practice for mailing list servers

[Alan Hodgson via mailop]

On Tue, 2022-06-14 at 19:07 +0200, Slavko via mailop wrote:
> Ahoj,
> 
> Dňa Tue, 14 Jun 2022 16:51:55 + Ken O'Driscoll via mailop
>  napísal:
> 
> > I wouldn't suggest that you implement DMARC on your list domain
> > as it
> > won't help with deliverability and will just cause more issues.
> > It's
> > not really designed for mailing lists.
> 
> Please, what issues will cause DMARC with policy None? Would not be
> better to suggest this instead of no DMARC?

You need to replace the From: address with your own address if you're
going to use any DMARC (or if the original sender uses DMARC).

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practice for mailing list servers

[Axel Rau via mailop]

Hi Ken,

thanks for your advice.

> Am 14.06.2022 um 18:51 schrieb Ken O'Driscoll :

> * DKIM sign all list messages with your own key
Which headers should I sign?
> * Use different DKIM keypairs for each list
> * Don’t modify the originally message body (e.g., adding in a list footer 
> etc.)
Done.
> * If the sender's domain has DMARC with an enforcing policy 
> (p=quarantine/reject) then rewrite the 5322.From to use the list's domain
I have to find out how to do this in exim.

Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practice for mailing list servers

[Ken O'Driscoll via mailop]

Hi Matthew,

The point of using different keypairs for different lists is that some message 
filters use the DKIM signing domain as a data point when calculating sender 
reputation.

Ideally, you want to have the signing domain match the From domain. If the 
lists use different From domains, then I'd recommend different keypairs for 
that reason.

If it's all using the same domain then the same keypair across all lists is 
probably fine.

If you really want to get into the weeds, different keypairs can help you 
isolatate and limit the reputational risk from DKIM replay attacks regardless 
of the same sending domain.

But, message volume also matters for building reputation and, there's no point 
in using separate keys for double digit per-list daily volumes. Combining under 
one key and one domain may also be a winning strategy in that case.

Ken.


From: mailop  on behalf of Matthew Richardson via 
mailop 
Sent: Tuesday, 14 June 2022, 19:30
To: mailop@mailop.org 
Subject: Re: [mailop] Best practice for mailing list servers

Ken O'Driscoll wrote:-

>* Use different DKIM keypairs for each list

Out of interest, why?

Are there any known issues with using the same keypair across multiple
lists, or indeed across multiple sending domains?

--
Best wishes,
Matthew
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practice for mailing list servers

[Slavko via mailop]

Ahoj,

Dňa Tue, 14 Jun 2022 18:00:49 + Ken O'Driscoll via mailop
 napísal:

> p=none is not always harmless. Some message filters treat p=none
> differently to not having DMARC. For example, Alice periodically
> treats p=none as equivalent to p=reject. Or there is an ISP who junks
> mail from domains with an RUA pointing to a freemail account,
> regardless of the policy. They are perhaps, rare, and extreme cases
> but there are more than a few providers that don't implement DMARC
> correctly and don't send reports either - messages just don't reach
> the inbox.

Thanks, but if someone have (own) restricted rules, this cannot be
reason to go that into "best practices" at all, as this is way to
"legitimize" them, which is IMO wrong way.

regards

-- 
Slavko
https://www.slavino.sk


pgp9W1y9zUnqq.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practice for mailing list servers

[Matthew Richardson via mailop]

Ken O'Driscoll wrote:-

>* Use different DKIM keypairs for each list

Out of interest, why?

Are there any known issues with using the same keypair across multiple
lists, or indeed across multiple sending domains?

--
Best wishes,
Matthew
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practice for mailing list servers

[Ken O'Driscoll via mailop]

Hi Slavo,

p=none is not always harmless. Some message filters treat p=none differently to 
not having DMARC. For example, Alice periodically treats p=none as equivalent 
to p=reject. Or there is an ISP who junks mail from domains with an RUA 
pointing to a freemail account, regardless of the policy. They are perhaps, 
rare, and extreme cases but there are more than a few providers that don't 
implement DMARC correctly and don't send reports either - messages just don't 
reach the inbox.

So, in this case, where I know absolutely zero about the poster's MLM audience 
etc., I recommend no DMARC record at all. It gives the best possible chance of 
the mailing list messages achieving inbox placement. Plus, most list operators 
don't have the time to be lecturing/mediating/pleading with ISPs who are 
blocking messages because don't understand DMARC. 

Of course, maybe the lists in question have a risk profile that would justify 
DMARC. If so, then it should be deployed fully, not just left lingering at 
p=none.

I do have a client where we implemented DMARC with p=reject on their lists. But 
they are not public lists, and the recipients belong to a very limited number 
of known domains.

Ken.

> -Original Message-
> From: mailop  On Behalf Of Slavko via mailop
> Sent: Tuesday 14 June 2022 18:08
> To: mailop@mailop.org
> Subject: Re: [mailop] Best practice for mailing list servers
> 
> Ahoj,
> 
> Dňa Tue, 14 Jun 2022 16:51:55 + Ken O'Driscoll via mailop
>  napísal:
> 
> > I wouldn't suggest that you implement DMARC on your list domain as it
> > won't help with deliverability and will just cause more issues. It's
> > not really designed for mailing lists.
> 
> Please, what issues will cause DMARC with policy None? Would not be
> better to suggest this instead of no DMARC?
> 
> regards
> 
> --
> Slavko
> https://www.slavino.sk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practice for mailing list servers

[Slavko via mailop]

Ahoj,

Dňa Tue, 14 Jun 2022 16:51:55 + Ken O'Driscoll via mailop
 napísal:

> I wouldn't suggest that you implement DMARC on your list domain as it
> won't help with deliverability and will just cause more issues. It's
> not really designed for mailing lists.

Please, what issues will cause DMARC with policy None? Would not be
better to suggest this instead of no DMARC?

regards

-- 
Slavko
https://www.slavino.sk


pgp8oXeDkM_iz.pgp
Description: Digitálny podpis OpenPGP
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Best practice for mailing list servers

[Ken O'Driscoll via mailop]

Hi Axel,

I would suggest:

* Make sure that the list's 5321.From (return-path/envelope/MAILFROM) domain 
has a valid and restrictive SPF 
* DKIM sign all list messages with your own key
* Use different DKIM keypairs for each list
* Don’t modify the originally message body (e.g., adding in a list footer etc.)
* If the sender's domain has DMARC with an enforcing policy 
(p=quarantine/reject) then rewrite the 5322.From to use the list's domain

Not modifying the body of the message will give any original DKIM message 
signature the best chance of preserving validity.

Signing with your own DKIM key will create an additional reputation data point 
for message filters, which will help over time.

DMARC won't survive a MLM, so you have to rewrite the From to give the message 
a chance of being received. Your own DKIM signature will still be valid.

Implementing ARC wouldn't hurt, but don't expect it to magically fix anything. 
Your ARC set still needs to be trusted by message filters which implement ARC 
and there is no centralised mechanism to facilitate this yet. Larger providers 
may use ML to trust particular ARC header sets but who knows.

I wouldn't suggest that you implement DMARC on your list domain as it won't 
help with deliverability and will just cause more issues. It's not really 
designed for mailing lists.

Ken.

> -Original Message-
> From: mailop  On Behalf Of Axel Rau via
> mailop
> Sent: Tuesday 14 June 2022 16:51
> To: Paul Vixie via mailop 
> Subject: [mailop] Best practice for mailing list servers
> 
> Hi all,
> 
> I’m running a mailman3 site with several small mailing lists.
> 
> Today Google let all mails without DKIM sig bounce.
> Other ESPs refuse my mails because of brokem DKIM sig.
> 
> Currently the listserver does not DKIM-sign nor remove DKIM-sigs.
> 
> It seems, that mails with DKIM-sig (from the author domain, but broken
> bei the list server) are accepted by Google.
> 
> Should I adopt ARC?
> Along with DMARC?
> 
> What is best practice in 2022?
> 
> 
> Any help appreciated,
> Axel
> ---
> PGP-Key: CDE74120  ☀  computing @ chaos claudius
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Best practice for mailing list servers

[Axel Rau via mailop]

Hi all,

I’m running a mailman3 site with several small mailing lists.

Today Google let all mails without DKIM sig bounce.
Other ESPs refuse my mails because of brokem DKIM sig.

Currently the listserver does not DKIM-sign nor remove DKIM-sigs.

It seems, that mails with DKIM-sig (from the author domain,
but broken bei the list server) are accepted by Google.

Should I adopt ARC?
Along with DMARC?

What is best practice in 2022?


Any help appreciated,
Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Curious, any one seeing fake SpamCop reports over the weekend?

[Atro Tossavainen via mailop]

On Mon, Jun 13, 2022 at 08:10:23AM -0700, Michael Peddemors via mailop wrote:
> Real strange, fake abuse addresses..

Plenty of the same in the spamtraps.

-- 
Atro Tossavainen, Founder, Partner
Koli-Lõks OÜ (reg. no. 12815457, VAT ID EE101811635)
Tallinn, Estonia
tel. +372-5883-4269, http://www.koliloks.eu/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Paper on email delivery/standards adoption

[Tobias Fiebig via mailop]

Heho,

Thanks, already found that. :-|

 

There is another embarrassing one later on in the paper. Sadly nothing we can 
do about the version going to Usenix anymore. :-/

 

With best regards,

Tobias

 

--

Dr.-Ing. Tobias Fiebig

T +31 616 80 98 99

M   tob...@fiebig.nl

 

From: mailop  On Behalf Of Patrick Ben Koetter via 
mailop
Sent: Tuesday, 14 June 2022 11:41
To: mailop@mailop.org
Subject: Re: [mailop] Paper on email delivery/standards adoption

 

Typo in line 4 SMPT -> SMTP

Am 13.06.22 um 21:21 schrieb Tobias Fiebig via mailop:

Heho,
Quiet some time ago i asked the list for some help in an ongoing email 
measurement study; The paper is now finally out and accepted. 
 
An open-access preprint can be found here:  
https://pure.mpg.de/rest/items/item_3384330_2/component/file_3388008/content
 
I guess the most interesting result on this list is that the 'Email Camel' 
(after the DNS Camel) is more complex than... well, DNS.
 
Anyway, figured it might be interesting for some on the list.
 
With best regards,
Tobias
 
___
mailop mailing list
mailop@mailop.org  
https://list.mailop.org/listinfo/mailop

-- 
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Paper on email delivery/standards adoption

[Patrick Ben Koetter via mailop]

Typo in line 4 SMPT -> SMTP

Am 13.06.22 um 21:21 schrieb Tobias Fiebig via mailop:

Heho,
Quiet some time ago i asked the list for some help in an ongoing email 
measurement study; The paper is now finally out and accepted.

An open-access preprint can be found 
here:https://pure.mpg.de/rest/items/item_3384330_2/component/file_3388008/content

I guess the most interesting result on this list is that the 'Email Camel' 
(after the DNS Camel) is more complex than... well, DNS.

Anyway, figured it might be interesting for some on the list.

With best regards,
Tobias

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop