The mailing list for listmasters using Sympa

[Joe Meslovich <address@concealed>]

This morning in testing I did confirm that Gmail accepts the DKIM signature coming from our Sympa server for emails to moderators.  So it must be something unique to Exchange Online that causes the DKIM verification to fail:

 

Joseph Meslovich Network Administrator & IT Security Officer Information Technology Center Bridgewater College Phone: 540-828-5343 | bridgewater.edu

 

 

From: IKEDA Soji <address@concealed>
Sent: Thursday, November 16, 2023 2:34 AM
To: Joe Meslovich <address@concealed>
Cc: address@concealed
Subject: Re: [en@sympa] Moderation messages failing DKIM verification

 

Tom’s post gave me an idea --- Outlook (M365) rewrites the body of messages delivered via Sympa, so the recipient cannot verify the DKIM signature given by Sympa.  Am I correct?

Outlook also supports ARC, so if you let Sympa add ARC seal to the message, it is hopefully possible that the recipient can confirm that Sympa delivered the messge with the valid signature by verifying ARC seals.

If your Sympa already has DKIM signing enabled, you can also enable ARC sealing by simply setting arc_feature and arc_srvid parameters.  See the manual for details:
https://www.sympa.community/manual/customize/dkim-arc.html

This is not a perfect solution as currently the recipients may not always support ARC, but administrators of Sympa servers are encouraged to enable it as big mail providers including M365, Gmail and Yahoo use it for verifying incoming mails.

Regards,

-- Soji

2023/11/16 1:33:52 Joe Meslovich <address@concealed>:

It may be some time until we have other examples.  We are still testing Sympa and haven't stumbled on anything else yet that is failing.  I will update you if we discover anything else.  The only thing failing so far is the message a moderator gets when someone posts to a moderated list.  It contains an attachment and links to accepting or rejecting the message.  We use Exchange Online and have the feature turned on that re-writes links to check them for phishing and malware.  However I believe the re-write of the links happens after the message is accepted by Exchange Online and the DKIM signature is verified.  So testing messages after the fact if we download the .eml will fail the body hash because the links have been re-written.  

 

Joseph Meslovich

Network Administrator & IT Security Officer
Information Technology Center
Bridgewater College
Phone: 540-828-5343 | bridgewater.edu

---

From: IKEDA Soji <address@concealed>
Sent: Tuesday, November 14, 2023 5:57 PM
To: Joe Meslovich <address@concealed>
Cc: address@concealed <address@concealed>
Subject: Re: [en@sympa] Moderation messages failing DKIM verification

 

[You don't often get email from address@concealed. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Hi,

> 2023/11/14 0:59、Joe Meslovich <address@concealed>のメール:
>
> I’m not seeing anything obviously wrong with the DKIM signature.  The moderation message listed a slightly different list of header values that it expects to be hashed in the verification than the other DKIM signed messages coming from Sympa.  Is there some specific setting I should be looking at for when DKIM is failing for moderation emails but not other DKIM signed messages?

And what is different in the moderation message from the other messages? Could you please show some examples?

Regards,

— Soji