Page MenuHomePhabricator
Create Task
Maniphest T379517

Further improve DMARC compatibility on lists.wikimedia.org
Open, MediumPublic
Actions

Description

Ref

When lists.wikimedia.org processes incoming emails (let's say revi.email for the purpose of this ticket), it strips DKIM-Signature from incoming mail and injects lists.wm.o DKIM-Signature before firing outgoing messages. This breaks DMARC (even for p=none) because end recipients only get DKIM Signature stamped by lists.wikimedia.org, not revi.email. (SPF will of course fail, so that's out of question.)
Maybe consider using ARC (it records the DKIM signature status when received by lists.wikimedia.org, thus allowing DMARC to pass even after mailing list processing)? (For example, kernel.org does ARC correctly, albeit not using mailman3...) (I originally intended to say "consider stop stripping senders' DKIM signature" but realized we tend to add footers, thus we are doomed to fail DKIM by editing body in transit.)

For some real life data, here's my 30 days statistics for revi.email. (Of this, kernel.org, wikimedia.org, sr.ht, fsfe.org, topicbox.com are mailing lists.)

30 days aggregation of revi.email DMARC reports

  • Out of 1963 emails sent from kernel.org (It is actually this single email), only 4 emails failed DMARC, which all of them seems to be Outlook unhappy with something, based on my reading of XML files. (Well, kernel.org mailing lists does not strip senders' DKIM signatures, at least).
  • Out of 348 emails sent from wikimedia.org, all 348 emails failed DMARC.
  • Out of 239 emails sent from sr.ht, only 1 email failed DMARC. My understanding of that 1 failure is double redirect.
  • FSFE and topicbox lists addes footer, thus it is destined to fail DKIM.

w3.org mailing lists keeps senders' DKIM and adds w3.org DKIM. IETF mailing lists also does the same for ietf.org. Both uses mailman 3. (I had no chance to send email to those lists, so I have no real life data)
Also when you send email to -owners from revi.wiki (which has dmarc p=quarantine), it just appends lists.wikimedia.org DKIM on top of existing revi.wiki DKIM, so this is not a generic mailman 3 issues.

As far as I can see, toolforge.org does ARC signing too, so ARC signing doesn't sound like an 'impossibility'.

Related Objects

Event Timeline

revi created this task.Nov 11 2024, 6:16 AM
revi moved this task from Incoming to Radar on the User-revi board.
Maintenance_bot added a project: SRE.Nov 11 2024, 6:29 AM
Reedy renamed this task from Further imrpove DMARC compatibility on lists.wikimedia.org to Further improve DMARC compatibility on lists.wikimedia.org.Nov 11 2024, 3:29 PM
Ladsgroup added a project: collaboration-services.Nov 13 2024, 7:43 AM
Ladsgroup added subscribers: jhathaway, Ladsgroup.

Adding the team owning it and @jhathaway who is migrating the MTA from exim4 to postfix.

MoritzMuehlenhoff subscribed.Nov 13 2024, 8:19 AM
Peachey88 moved this task from Backlog to Shell/site on the Wikimedia-Mailing-lists board.Nov 16 2024, 5:39 AM
LSobanski moved this task from Incoming to Backlog on the collaboration-services board.Nov 18 2024, 4:35 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits