On Fri, Jul 09, 2021 at 11:43:56PM +0300, Kevin N. wrote: > Not sure if that is the case here, but sometimes mailing list > software alters the original message headers which then can lead to > failed DKIM signature checks. Most probably. This is a known problem. DKIM is (roughly speaking) a signature over a hash over some of the mail headers. It assumes that whoever has control over the sender's domain name in DNS can authorize the sender to send mails[1], because DNS is where the public key for the check is published. Now a mailing list has to munge some of the mail headers, thus breaking the signature. Here[2] is a readable explanation. There's even an RFC6377[3] for that. No idea how lists.debian.org handles that. Cheers [1] The result is that now a significant fraction of the spam I receive has a correct DKIM signature: they use throwaway Google or Hotmail accounts. The irony is that those Big Guys are the ones who forced us all to implement DKIM to "fight spam", because they'd refuse any mail without (now Hotmail and the other Microsoft-fueled providers have discovered something even better). Dirty bros. I *hate* them. [2] https://doc.coker.com.au/internet/dkim-and-mailing-lists/ [3] RFC6377 "DomainKeys Identified Mail (DKIM) and Mailing Lists" https://datatracker.ietf.org/doc/html/rfc6377 - t
Attachment:
signature.asc
Description: Digital signature