The mailing list for listmasters using Sympa

["Widerski, Betty" <address@concealed>]

A quick note about Sympa DMARC protection settings and Outlook/Exchange accounts: choosing "DKIM_signature" (or "All" which includes it) in the DMARC Protection modes results in FROM line appearance that alarmed our Security group because the sender Display Name was formatted with quotes around it, which users had been told is a possible sign of phishing, e.g.,

 

address@concealed on behalf of "Widerski, Betty" <address@concealed>

 

When I removed DKIM_signature from DMARC protection modes (and left all the other choices except all or none selected) the headers now look like:

 

address@concealed on behalf of Widerski, Betty  (and hovering over the display name shows my actual email address, not the list's)

 

Gmail and other external ISPs' email posts didn't have the issue to start, and removing DKIM_signature did not change their behavior.

 

Betty

 

Betty Widerski

Cloud & Server Engineering – HBS Information Technology

HARVARD  BUSINESS  SCHOOL     

Shad 108 N | address@concealed | T: 617.495.6642

 

 

 

From: address@concealed <address@concealed> On Behalf Of Stephen Jarjoura
Sent: Wednesday, November 22, 2023 12:16 PM
To: Mail administrator, Otto Makela <address@concealed>
Cc: address@concealed
Subject: Re: [en@sympa] Sympa and "DMARC Munging"

 

You can enable DMARC protection:

• DMARC Protection
• DMARC Protection Config Options

And, you can also re-sign outgoing email, via DKIM:

• DKIM and ARC: Setup Sympa
• DKIM/DMARC/ARC Config Options

 

-- 

Stephen A. Jarjoura

Collaborative Services

 

 

On Wed, Nov 22, 2023 at 11:40 AM Mail administrator, Otto Makela <address@concealed> wrote:

I've been working with getting regular DKIM-signed messages to pass intact
through Sympa, and if you give up Subject tagging (custom_subject) it can
definitely be achieved for (some) senders.

Unfortunately, this depends in parts on how "wide" the DKIM signature is.
One prominent sender to our mailing lists uses signing that includes
everything imaginable, including List-Id. I've taken this as a hint they
don't want their people on any external mailing lists, and they're re-
thinking their choices with my threat of unsubscribing all their users.

However, another alternative (supported by eg Mailman, described by them
as "DMARC Munging") is to change mailing behavior rather radically,
by editing the outgoing mailing list message headers:

        From: "DISPLAY_NAME via LIST_NAME" <LIST_POSTING_ADDRESS>
        Reply-To: ORIGINAL_FROM_ADDRESS

And then signing the message with your own DKIM signature,
since of course the list posting address is signable by your server.

(I can see how messing with the DISPLAY_NAME will at some point cause
problems with Mac Mail and some other clients, which are greedy about
squirreling away and trying to merge together seen "From" addresses)

Mailman implements this here:
https://gitlab.com/mailman/mailman/-/blob/master/src/mailman/handlers/dmarc.py

Can (and should) similar functionality be added to Sympa?

--
address@concealed (Mail Administrator, Otto J. Makela)