Hacker News new | past | comments | ask | show | jobs | submit login

You're probably right. Mailing lists (of the discussion group variety, not marketing mail) often have problems with spam filter false positives, most commonly due to DMARC policies.

There's not really a great solution to that at the moment - either you technically violate RFCs by having your your discussion group software modify some headers, or you deal with other kinds of breakage.

Doing header rewrites is effective for reducing FPs due to DMARC, but adoption is far from universal - off the top of my head I'm not even sure if Mailman supports that at the moment.




You only have to rewrite headers if your mailing list is actually modifying the mails i.e. doing a MITM attack on the mail flow. Some mailing list admins feel very strongly about footers, subject line tags etc and then claim they "must" rewrite the From header, but I am not sure it's technically required.


Discussion groups retransmit messages, which is enough to fail authentication in a lot of cases.

Here's an example: you have an address @google.com, which has a DMARC policy of 'quarantine'. You send a message from this address to a discussion group, which in the process, resends your message from a non-google server, thus failing DMARC.

Google's DMARC policy says that if an ISP receives a message from a @google.com From address and the message fails DMARC, that ISP should place the message in the spam folder.

So it boils down to: does a list operator change the From address in distribution group mail to use a list address they own in order to pass DMARC, or do you deal with the filtering consequences of failing DMARC for many domains?


The whole point of DKIM is that messages can be relayed without breaking authentication, because it uses digital signatures instead of sending IP. So I think it wouldn't break


... IF the body is not modified, and the header signature matches, AND headers retain DMARC alignment... the reality is that retransmittal (as opposed to just relaying) almost always does one or more of these.

Here's an example from a Google email engineer's recent post to the Mailop list, which is running Mailman software.

Authentication-Results: mx.google.com; spf=neutral (google.com: 2001:41c8:51:83:feff:ff:fe00:a0b is neither permitted nor denied by best guess record for domain of mailop-bounces@mailop.org) smtp.mail=mailop-bounces@mailop.org; dkim=neutral (body hash did not verify) header.i=@google.com; dmarc=fail (p=REJECT dis=NONE) header.from=google.com


That message says the body was modified. The solution is simple: don't do that. Your original message said DKIM breaks if you simply relay mail, but it isn't correct.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: