From alialnu at nvidia.com Mon Nov 8 15:05:42 2021 From: alialnu at nvidia.com (Ali Alnubani) Date: Mon, 8 Nov 2021 14:05:42 +0000 Subject: [dpdk-moving] DMARC mitigation in dpdk.org's mailing list In-Reply-To: References: Message-ID: Hi all, > -----Original Message----- > From: Ali Alnubani > Sent: Thursday, September 23, 2021 12:15 PM > To: announce at dpdk.org; users at dpdk.org; web at dpdk.org > Subject: DMARC mitigation in dpdk.org's mailing list > > Hi all, > > Due to the changes that Mailman (our mailing list software) does to posts > before distributing them, DKIM and DMARC verification will fail for emails > originating from the domains that support them. This causes some posts to > go into spam/quarantine and sometimes completely discarded depending on > the domain's policy. > > DKIM (DomainKeys Identified Mail) is a form of email authentication that > uses public key cryptography to digitally sign outgoing emails. Senders add > this signature to the headers of the email message for the receiving mail > servers to validate against. The sender specifies which of the original headers > is covered by this signature. > DMARC (Domain-based Message Authentication, Reporting, and > Conformance) basically allows domains to publish policies that tell receiving > mail servers how to handle DKIM verification failures. Strict policies can be > set to either reject (message not delivered to user's mailbox), or quarantine > (spam/junk) the messages failing them. > > I would like to propose making some mailing list configuration changes to > mitigate and reduce signature breakage: > - Disable prepending subject prefixes (e.g., [dpdk-dev]). > Making this change will probably break the rules and filters list members > have for their mailboxes if they filter by the subject prefix. > Members can filter by Mailman's List-Id header instead, or by the To/Cc > headers. > - Disable rewriting the "Sender" header. > Mailman replaces this header by default with the list's bounce address to > direct bounces from some broken MTAs to the right destination. > - Disable conversion of text/html to plain text. > Mailman currently strips MIME attachments and does text/html to plain text > conversion. > > We experimented for a while with these changes in a test list we created > (https://mails.dpdk.org/listinfo/test-dmarc), and we found that they helped > in mitigating signature breakage. > We tested with signed emails from the domains: nvidia.com, broadcom.com, > and gmail.com. We verified that posts on the test list showed passing > DKIM/DMARC results in their 'Authentication-Results' header. > > We plan on making these changes to users at dpdk.org and web at dpdk.org > first, and then to the rest of the lists once we make sure there are no > unexpected issues. > I'm seeing less DKIM and DMARC breakage from users at dpdk.org and web at dpdk.org after making the changes mentioned above. I had a discussion with the technical board, and they approved making the changes to the rest of the lists. We'll apply the change in 2 days. Feedback is still appreciated. Thanks, Ali