On Fri, Jul 09, 2021 at 11:43:56PM +0300, Kevin N. wrote:
> Not sure if that is the case here, but sometimes mailing list
> software alters the original message headers which then can lead to
> failed DKIM signature checks.
Most probably. This is a known problem. DKIM is (roughly speaking) a
signature over a hash over some of the mail headers. It assumes that
whoever has control over the sender's domain name in DNS can authorize
the sender to send mails[1], because DNS is where the public key for
the check is published.
Now a mailing list has to munge some of the mail headers, thus breaking
the signature. Here[2] is a readable explanation. There's even an
RFC6377[3] for that.
No idea how lists.debian.org handles that.
Cheers
[1] The result is that now a significant fraction of the spam I receive
has a correct DKIM signature: they use throwaway Google or Hotmail
accounts. The irony is that those Big Guys are the ones who forced
us all to implement DKIM to "fight spam", because they'd refuse any
mail without (now Hotmail and the other Microsoft-fueled providers
have discovered something even better). Dirty bros. I *hate* them.
[2] https://doc.coker.com.au/internet/dkim-and-mailing-lists/
[3] RFC6377 "DomainKeys Identified Mail (DKIM) and Mailing Lists"
https://datatracker.ietf.org/doc/html/rfc6377
- t
Attachment:
signature.asc
Description: Digital signature