[MlMt] List membership disabled -- excessive bounces?

[Bill Cole]

On 2025-05-19 at 09:26:11 UTC-0400 (Mon, 19 May 2025 15:26:11 +0200)
Benny Kjær Nielsen <mailmate at lists.freron.com>
is rumored to have said:

> On 19 May 2025, at 14:48, Bill Cole wrote:
>
>> On 2025-05-19 at 05:22:42 UTC-0400 (Mon, 19 May 2025 11:22:42 +0200)
>> Benny Kjær Nielsen <mailmate at lists.freron.com>
>> is rumored to have said:
>>
>>> I'm not sure if this indicates that all senders on the mailing list have to have DKIM configured for their domains now? This is not the case for the From address involved.
>>
>> I believe it only requires that all mailing lists using Mailman that touch the body to "Munge All" From addresses and re-sign messages.
>
> Currently, this only happens for emails from domains with DMARC enabled and a reject policy. Even if I did this for all emails from domains with DMARC enabled then I don't think it would solve this problem. There would still be emails with a DKIM signature from a non-DMARC domain. My server would either need to strip the DKIM-headers or munge/resign these emails as well, but I don't see an option for that in Mailman (2.x).

There's no need to strip out existing DKIM signatures. That's why Mailman doesn't do it. It is entirely safe for a message to carry multiple DKIM signatures from different domains. The only one that matters for DMARC is the one that aligns with the "From" header address.

More importantly, if you munge the From on all messages, then DMARC conformance is entirely in your own hands. You can either sign messages OR not, and rely on the existence of valid SPF aligned (in the same domain and in some cases a sibling or child) with the From header to authenticate for DMARC, since a munged From will align with the envelope sender.

> I might have gotten this totally wrong, but I'm pretty sure the latest Gmail problem is related to a failed DKIM signature. (Even the emails with no DKIM signature might eventually become a problem.)

A broken author-domain signature (which will always be broken by this list due to the footer) is not a problem by itself, because DMARC can just as easily use aligned SPF for authentication, IF you always munge From.

> It seems to me that I should perhaps just munge the From header in all emails.

That should work for all recipients who do not have their mail forwarded by their subscribed address to somewhere else. Adding your own DKIM signature could allow that mail to still pass DMARC in any subsequent forwarding hop.

>> Using the "Wrap" option is arguably the technically best approach but it is the least user-friendly because not all MUAs handle the message/rfc822 content-type adeptly.
>
> I have the unique advantage of knowing that most users of the mailing list will be using MailMate to view the emails.

Right. Also, MailMate already handles wrapped messages reasonably well.

> I could add features handling this gracefully. This might be better going forward although I don't know if such atypical emails would be seen as more or less spammy by the algorithms out there.

FWIW (with my SpamAssassin PMC member hat on) I do not expect that wrapped messages will cause trouble with spam filters. The approach in SpamAssassin is essentially treating message/rfc822 attachments as opaque blobs.

-- 
Bill Cole
bill at scconsult.com or billcole at apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire