Re: Is anyone here forwarding your bind-users messages to gmail or a google-hosted domain?
Dan Mahoney writes: We've seen a number of messages reported to us as having an isc.org "from" address, and as having our dkim signatures, but the signatures failing to verify, perhaps because a forwarder may have added a subject tag or rewritten some other header. Of course, SPF also fails because those servers aren't in our SPF record. On 20.04.22 10:55, Bjørn Mork wrote: I don't forward to gmail, but I've noticed that my DKIM signature on messages to this list fail verification. I believe this problem is specific to this list, as it doesn't happen with most other lists. I assume the reason is the body modfications by the list server. apparently. from what I know, mailman only modifies From: if the headers/body are changed AND dmarc policy of the originator domain is set to reject. yours is "none. I encountered this problem with different mailing list and also got customer ticket with the same problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft] -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Is anyone here forwarding your bind-users messages to gmail or a google-hosted domain?
Dan Mahoney writes: > We've seen a number of messages reported to us as having an isc.org "from" > address, and as having our dkim signatures, but the signatures failing to > verify, perhaps because a forwarder may have added a subject tag or > rewritten some other header. Of course, SPF also fails because those > servers aren't in our SPF record. I don't forward to gmail, but I've noticed that my DKIM signature on messages to this list fail verification. I believe this problem is specific to this list, as it doesn't happen with most other lists. I assume the reason is the body modfications by the list server. See for example <87mtgsx4n4@miraculix.mork.no> from Sun, 10 Apr 2022 18:52:15 +0200 Or you can just look at this messages, which will have a valid DKIM signature when received by the lists.isc.org mx. But most likely messed up when forwarded from lists.isc.org. I'm pretty sure the invalid DKIM signature counts as negative for gmail even if the ISC DKIM signature is valid. And fixing that should be within your control? Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Is anyone here forwarding your bind-users messages to gmail or a google-hosted domain?
Hey all, I'm one of the people who admins ISC's mail servers, and also receives all our DKIM/SPF/DMARC failure reports. (We use dmarcian.com) We've seen a number of messages reported to us as having an isc.org "from" address, and as having our dkim signatures, but the signatures failing to verify, perhaps because a forwarder may have added a subject tag or rewritten some other header. Of course, SPF also fails because those servers aren't in our SPF record. This makes us look bad because it shows isc.org messages arriving at gmail in a non-compliant way, and it makes your mail servers look bad, because they're "spoofing" isc.org mail. Worse, if ISC moves our dmarc record to a p=reject policy, you just won't get that email anymore, so it's definitely not future-proof. Our dmarc reports only show us aggregates of the from/to/spf/dkim/dmarc status. We can't easily inspect individual messages. If this sounds like you, please do drop me a line privately at dmaho...@isc.org. I'd love to work with you to ensure I understand what's going on and also see if we can make things work better for everyone. Cheers, -Dan -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
