The mailing list for listmasters using Sympa

[Steve Shipway <address@concealed>]

I've been doing some more investigation on what Yahoo are up to.

Firstly, they are signing the message with *TWO* headers; DKIM-Signature AND
DomainKey-Signature.  These are very similar but not identical.  We only
strip and re-add the DKIM-Signature header, so the other continues through
and flags as invalid... we need to add DomainKey-Signature to our list of
stripped incoming headers, which may yet help.  I'm not sure, but I think
that the identity-validation step is performed prior to header stripping, so
dkim-validated posting rights should still work.

Secondly, the DKIM header is ridiculously detailed.  This is the list of
headers it signs:

h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply
-To:Subject:To:MIME-Version:Content-Type;

Leaving aside the X-* headers, most of which are their own, I fail to see
the point in signing the Received header!  This effectively makes the
signature invalid the moment it passes through another system, even if the
Reply-To header is not altered, as everything adds a Received header to the
set.  Total overkill; Reply-To and Received should not be in there.  As a
comparison, this is the list of headers which we sign:

h=from:to:subject:date:message-id:mime-version

This is the Yahoo.com DMARC record:

v=DMARC1; p=reject; sp=none; pct=100;
rua=mailto:address@concealed;

This means that, 100% of the time, reject messages which fail the policy.

Their SPF record states:

v=spf1 ptr:yahoo.com ptr:yahoo.net ?all

This is pretty lenient, and so should just do a soft fail if the message
comes from somewhere it should not.  If they are using incoming SIDF in
non-compatible mode, it should check the envelope sender (which will be
correct as it is changed) and the PRA.  The PRA should be the Sender header
or Reply-To, both of which are correct, but if it checks From then it will
(soft) fail.

Running a few tests, even striping the DomainKey-Signature and
DKIM-Signature headers still result in their responding with a '5.7.9
Message not accepted for policy reasons ' error, directing me to
http://postmaster.yahoo.com/errors/postmaster-28.html .  This confirms the
issue is DKIM or SPF but unhelpfully does not tell us which or how.

If I can identify any more I'll let people know.

Sadly, we can't just refuse Yahoo.com emails here; we are a university with
many students who use this sort of service.

Steve Shipway
address@concealed

Attachment: smime.p7s
Description: S/MIME cryptographic signature