Extra Feeds & Services »

Home / Blogs

DKIM for Discussion Lists

  • Jun 02, 2009 2:27 PM PST
  • Comments: 5
  • Views: 4,569
Print Comment
By J.D. Falk
J.D. Falk

There's a pernicious meme floating around that DomainKeys Identified Mail (DKIM) doesn't work with discussion lists, particularly those hosted on common open source software packages like MailMan. It's particularly odd to see this claim after I set it up successfully on a stock Debian server in less than half an hour, just a few weeks ago. Here's how it can, should, and does work:

1.  The inbound MTA handles DKIM signature verification, and applies an Authentication-Results header (or a custom X header.) For example, Sendmail's DKIM Milter does this out of the box for Sendmail, Postfix, and other popular MTAs.

2.  If the list /won't/ be modifying the message—in other words, if it acts like a simple forwarder—skip to step 5.

3.  Either the MDA or the list handler strips the DKIM-Signature header, effectively rendering the message unsigned.

4.  The list handler modifies the message in accordance with its configuration, often by adding a footer, placing a tag in the Subject: header, and adding List-* headers.

5.  The MSA or outbound MTA (re-)signs the message. This is appropriate because even if the message is passing through the system unchanged, the list handler is now the Originator, and thus responsible for that message (from a technical perspective, if not in a legal sense). I'd recommend using a different selector (perhaps a different subdomain) for each list, or at least for lists vs. non-list mail from that host, but that's not required.

6.  The outbound MTA transmits the message as per usual.

There's no wacky hacking required—it all works exactly as documented, and exactly as intended.

(Much of the terminology used in this article—MTA, MSA, Originator, et cetera—is defined in draft-crocker-email-arch-15.)

Written by J.D. Falk, Director of Product Strategy at Return Path. Visit the blog maintained by J.D. Falk here.

Related topics: Email, Security, Spam

Get a weekly summary of postings to CircleID:

 Master Feed (more feeds)      Twitter      Mobile
Bookmark / Email This Post
Print Comment

Comments

Oops, one correction: step #3 above doesn't J.D. Falk  –  Jun 02, 2009 2:38 PM PST

Oops, one correction: step #3 above doesn't happen by default, but MailMan and other list software can easily be configured to strip particular headers—or you can use procmail or other mail filtering software between the MTA and the list handler.

# 1 Reply  |  Link  |  Report Problems
Works great John Levine  –  Jun 03, 2009 1:12 AM PST

I did the same thing for majordomo2, and it was similarly easy.

I don't bother to put in an authentication-results header since the list software has plenty of logs in the unlikely event that I need to track how a particular message got through a list.

# 2 Reply  |  Link  |  Report Problems
Authentication-results Jim Fenton  –  Jun 04, 2009 10:38 AM PST

A couple of things relating to the application and use of the Authentication-Results header field in step 1:

- Does the signature applied in Step 5 include the Authentication-Results header field just added?  The signing of Authentication-Results header fields strikes me as implying somewhat different semantics (correctness of the header field) than a DKIM signature has (taking responsibility for the message, but saying nothing about its correctness) which makes me a bit conflicted on this idea.

- Prior to applying Authentication-Results, the list software should look for and remove any existing Authentication-Results header fields that purport to be from the list.  Otherwise it's possible for an attacker to spoof the A-R header field.

Are there any other recommendations on header fields that the list should sign, such as List-Id?

# 3 Reply  |  Link  |  Report Problems
To my mind, signing the Authentication-Results header J.D. Falk  –  Jun 05, 2009 10:14 AM PST

To my mind, signing the Authentication-Results header still has the same concept of taking responsibility for that header.  Downstream entities will have to make up their own minds whether that responsibility is sufficient to denote correctness.  Even so, I'm also conflicted about whether it's a good idea.

Shouldn't hurt for the list software to remove it, though—or to remove any other Authentication-Results headers that might be lying around—because recipients will only be using the new signature to decide whether the message is trustworthy.

# 4 Reply  |  Link  |  Report Problems
additional discussion J.D. Falk  –  Jun 13, 2009 4:52 AM PST

There's been some additional discussion about this on the ietf-dkim list, with a few people vehemently against the recipe above.  Hector Santos summed up the differences nicely in this message.  My reply is here.

If all you care about is making sure that your discussion list is signing effectively with DKIM, though, just read the original article above.  This particular debate is lost deep in the weeds.

# 5 Reply  |  Link  |  Report Problems

To post comments, please login or create an account.

Related Blogs

Smart Phishing for Smartphones

  • Feb 05, 2010
  • Comments: 0

Driver's License for Web Users… Bad Idea

  • Feb 03, 2010
  • Comments: 1

Domain Name Security Gains Prominence in German-Speaking World

  • Feb 02, 2010
  • Comments: 0

DNSSEC: Will Microsoft Have Enough Time?

  • Jan 29, 2010
  • Comments: 0

Australia Booting Infected Computers Off Their Networks

  • Jan 29, 2010
  • Comments: 0
View More

Related News

The US House Passes Cybersecurity Bill

  • Feb 04, 2010
  • Comments: 0

Google, NSA Join Forces in the Effort to Build Better Cyberattack Defense System

  • Feb 04, 2010
  • Comments: 0

AFNIC Invites Network Managers to Prepare for the Signing of the DNS Root in May 2010

  • Jan 28, 2010
  • Comments: 0

ICANN Begins Public DNSSEC Test Plan for the Root Zone

  • Jan 27, 2010
  • Comments: 1

One More Reason to Avoid Diet Drug Fakes: They're Dangerous

  • Jan 26, 2010
  • Comments: 0
View More

Other Topics

Access Providers Broadband Censorship Cloud Computing Cyberattack Cybercrime Cybersquatting Data Center DNS DNSSEC Domain Names Domain Registries Email Enum ICANN Internet Governance Internet Protocol IP Addressing IPTV IPv6 Law Malware Mobile Multilinguism Net Neutrality P2P Policy & Regulation Privacy Regional Registries Security Spam Telecom Top-Level Domains VoIP Web White Space Whois Wireless
View More



Industry Updates – Sponsored Posts

ICANN and Cybersecurity: Hot Topics at The First Ever .ORG Forum

  • By PIR
  • Views: 480

Neustar Implements DNS Security Extensions in the .US Registry

Paid Search Ads Can Lead to Fake Goods

Neustar Launches Initiative to Enhance DNS With Faster, More Secure Updates

Registry Stakeholder Group Comments on Latest ICANN Policies

  • By PIR
  • Views: 1,396

Open Phishing Season

Nominum Announces "DNSSEC Made Easy" Solutions

.ORG Highlighted for Success in Fighting Phishing

  • By PIR
  • Views: 1,776

Afilias' Matt Pounsett Elected Director-at-Large for DNS-OARC

SEO Poisoning: A Persistent Malware Threat Targeting High-Profile Brands

Nominum CEO: Commercial vs. Open Source - Let Customers Choose

Pharmaceutical Brandjacking for Popular Drug Brands on the Rise

Nominum Broadens Intelligent DNS Impact With SKYE Cloud Services

Afilias Managed DNS Services Adds SiteCertain to Keep Watch on Your Web Site

DNSstuff.com Launches Industry's First Mail Server Test Center

Growing Global Adoption of Nominum's Intelligent DNS Spells Obsolescence for Legacy DNS Systems

Nominum's Intelligent DNS Gives Service Providers Commanding Advantage Against Internet Threats

ISC, Afilias and Neustar Bring DNSSEC One Step Closer

Afilias Secures Millions of Internet Domains from BIND 9 Vulnerability with DNS Diversity Strategy

Nominum Delivers Service Provider Compliance Solution For Blocking Child Exploitation Sites Online

View More