Re: [chrony-users] DNS/DKIM issue with tuxfamily.org?

[Adrian Zaugg <chrony.tuxfamily.org@xxxxxxxxxxxxxxx>]

Hi Joe

Your admin should be more precise: The mailing list or the servers that send 
the mail for the list do not add a DKIM header, only some of the member mail 
server do add a DKIM header.

Because a mailing list software alters some headers, like the subject, such 
headers should not be used in DKIM, it leads to a failed verification. Mails, 
which fail a DKIM verification can only be discarded safely, when the _adsp 
record of the sender says dkim=discardable in all other cases, the mail should 
get delivered, see under [1].

This DKIM issue can only be addressed from your admin to take into account, 
that mailing list software do exist, are used and aren't 100% compatible with 
DKIM, and as well that some admins configure DKIM in a bad way for mailing 
lists.

That means upon receiving a mail: Do not decide to never discard mails having 
a failed DKIM verification, give them a higher SPAM score instead. Decrease 
the SPAM score for mails having a List-... header (resp. use the corresponding 
test from spamassassin, if applicable).

Furthermore your admin should change your DKIM record not to contain the 
subject, content-type and mime-version, which helps to verify a DKIM 
successfully even if the mail was altered by a mailing list software.

Regards, Adrian.

[1] https://dkim.org/specs/draft-ietf-dkim-ssp-04.html

In der Nachricht vom Tuesday, 12 December 2023 14:50:17 CET steht:
> Emails that I receive from tuxfamily.org for this group are being blocked by
> my organization, reportedly for security because of a failed DKIM lookup.
> My sysadmin indicated that the DKIM in DNS would need to be fixed. I tried
> sending an email to the tuxfamily.org admin a while back but got no
> response. I probably won't receive the responses to this if you respond to
> the group. Perhaps you can reply to me directly. I do apologize for this
> being off topic. I'd like to continue receiving these emails but can't if
> this DKIM issue isn't addressed. If any of you are able to look into this,
> it would be greatly appreciated. Thanks. Happy Holidays!
 
> 
> Joe Smith
> 
> Senior Software Engineer
> 
> Phoenix Defense
> 
> 200 East Palm Valley Drive | Suite 2000 | Oviedo, Florida 32765
> 800-RIPTIDE
> 
> joe.s​mith@xxxxxxxxxxxxxxx
> 
> 
> This email and any attachments to it are intended only for the identified
> recipients. It may contain proprietary or otherwise legally protected
> information of Phoenix Defense.
 
> Any unauthorized use or disclosure of this communication is strictly
> prohibited. If you have received this communication in error, please notify
> the sender and delete or otherwise destroy the email and all attachments
> immediately.
 
> [cid:4d3eb688-9459-4092-9b00-510a3454416b]
> [cid:cefb756f-b8c3-47f6-8ceb-65f9b1e2c569]​


-- 
           -°)
~~~~~~~~~~~~(_^/~~~~

  Adrian Zaugg
  Zweierstrasse 56
  CH-8004 Zürich

  044 291 02 38
____________________


(This eMail gets best displayed
 using a monospace font.)

# Retrieve my public GPG key:
  gpg --locate-external-keys adi@xxxxxxxxxxxxxx

Attachment: signature.asc
Description: This is a digitally signed message part.