Problem
Emails received from WMIT Mailman may have invalid DKIM signature and can be (often) marked as spam.
Example of a problematic header:
Authentication-Results: example.wikimedia.it (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=example.com header.b=JTAvJYcU; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=example.com header.b=JTAvJYcU
Note:
fail (message has been altered)
Context
When someone (with a recent mailserver, I mean a DKIM-enabled mailserver) sends an email to the WMIT Mailman, it may be cases where the original DKIM firm is valid, but Mailman delivers invalid DKIM-Signature signature, and so the email is marked as spam and, often, discarded by receivers.
This happens because Mailman alters the original message. This happens in various ways: changing the subject, adding the prefix [Something], altering the body, altering the From:, etc.
Mailman alters the original message and it breaks the original DKIM signature.
Ideal solution
- strip the DKIM-Signature: header since it cannot be valid anymore if Mailman changes the original message
- (bonus point) preserve the old DKIM signature in another (non?)standard header (uhm... ?... X-original-DKIM-Signature:) for cryptography lovers who might want to check it out
- (bonus point) introduce a valid DKIM-Signature: generated by the Mailman's underlying mailserver, in order to have a valid signature respecting the new message delivered from Mailman
Having said that, I don't think this solution can be implemented easily in Mailman.
Proposed solution
Edit the Mailman configuration file and set remove_dkim_headers: yes in order to strip the header DKIM-Signature: that usually contains an invalid firm, since the original message was altered by Mailman and so its crypto signature is invalid.
Related documentation explaining default value:
# Some list posts and mail to the -owner address may contain DomainKey or # DomainKeys Identified Mail (DKIM) signature headers <http://www.dkim.org/>. # Various list transformations to the message such as adding a list header or # footer or scrubbing attachments or even reply-to munging can break these # signatures. It is generally felt that these signatures have value, even if # broken and even if the outgoing message is resigned. However, some sites # may wish to remove these headers by setting this to 'yes'. remove_dkim_headers: no