[postgis-devel] DMARC/DKIM mitigation on maling lists

Magnus Hagander magnus at hagander.net
Wed Oct 25 13:11:07 PDT 2023 

On Wed, Oct 25, 2023 at 10:42 AM Sandro Santilli via postgis-devel
<postgis-devel at lists.osgeo.org> wrote:
>
> Modern email spam-prevention policy use email signing
> and modifying email body (and sometimes headers) breaks
> the signatures, resulting in mailing list messages sometime
> going to spam folders of subscribers.
>
> I'm planning to experiment changing the Mailman configuration
> for the postgis-tickets mailing list [1] to serve as a kind
> of testbed for signed-email-handling improvements.
>
> The change would be:
>
>   - Stop adding a [postgis-tickets] suffix in the subject line
>   - Stop adding a footer to every email
>
> The rationale is that the same information is already included
> in the messages in form of RFC822 headers:
>
>   - List-Id
>   - List-Unsubscribe
>   - List-Archive
>   - List-Post
>   - List-Help
>   - List-Subscribe
>
> DMARC/DKIM problems have been reported for other osgeo mailing
> lists and so far the solution implemented has been to that of
> changing the From and Reply-To headers, but only when the sender
> has DMARC active, which introduces more complexity instead of
> reducing it:
>
>   - https://trac.osgeo.org/osgeo/ticket/2726
>   - https://trac.osgeo.org/osgeo/ticket/2639
>
> I'm adding in cc Paolo as someone who's known to have a DMARC enabled
> domain and thus in a position to test with this, Greg who's a
> proponent of reduced complexity in mailing lists and Markus who
> confirmed grass-dev having similar troubles.
>
> This mail thread should have maybe started on the OSGeo Projects
> mailing list but I'm using postgis-devel as I only intend to tweak
> `postgis-tickets` list for tests, and if we find the test is
> successful we could suggest to projects to tweak ALL lists like this.
>
> Does anyone in PostGIS team have reasons to hold back from changing
> the postgis-tickets mailing lits ? It only has 22 subscribers so
> sounds like a great fit to me :)

Just a FYI for you, the postgresql.org mailinglists did this many
years ago now, I think back in 2018. it greatly reduced the problems
we had with emails getting sent to people's spam. In fact, getting
this done was one of several reasons we moved off mj2. If I look at my
own mailbox today, the vast majority of the list mail I see going to
spam is for the postgis lists, and a few other minor notification
lists that explicitly do this and can't be handled.

Furthermore, with the increased focus on these things from "small"
providers like gmail, we are currently also extending this to
validating all DKIM signatures as they enter our list server and not
delivering email that have broken DKIM signatures. In particular, it's
a pattern that some people DKIM sign the fact that the mail should
*not* be on a list (by signing the list-* headers). Letting through
email with bad DKIM signatures increases the likelihood that valid
email from the same servers and domains get flagged as spam. It's not
a lot of people, but it can be enough to hurt.

We are not currently doing anything with DMARC. We have started
looking at ARC but as mentioned downthread it feels fairly early and
we're not there yet.

I don't partake in the postgis lists enough to really to to influence
what you do, but I wanted to share the experience we've seen on the
postgresql lists management side.

--
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/

More information about the postgis-devel mailing list