[vox] So how do we make Gmail happy & get people back on these lists? :(

dugan at passwall.com dugan at passwall.com
Sat Mar 9 23:48:14 PST 2024 

Heya Bill!

It looks like you may have a few issues.

When setting up a mailing list, there is often a desire to "markup" 
messages being sent back out, like altering the Subject line to add 
"[vox]" which can work, but when the message is sent as the original 
sender, and their DKIM sig is still in place in the message, if their 
computer DKIM sig includes subject line, then the list relaying the 
altered message "as" the user shows up like these sample partial headers 
from recent list email messages:


Authentication-Results: lists.lugod.org; dkim=fail
     reason="verification failed; unprotected key"
     header.d=gmail.com header.i=@gmail.com header.b=BCrHHoXA;
...

Or:
Authentication-Results: lists.lugod.org; dkim=fail
     reason="verification failed; unprotected key"
     header.d=sunsetsystems.com header.i=@sunsetsystems.com
...

One solution can be to have the list send all email message as a static 
list sender (vox at lugod.org) and then re-compute a new DKIM sign with 
that sender, and add a "reply-to" header to the original sender's email 
address.
Email messages "From" the account "vox at lugod.org" could then be signed 
with lugod.org DKIM key even with altered subject line and get through 
remote DKIM checks, but if spam is relayed, then your lugod.org domain 
could be put on blacklists.

Another option which other lists consider using is "ARC" signing which 
can allow you to preserve the "from" address matching the original 
sender, but requires you to computer ARC signing process and retain the 
received chain in process:
https://mxtoolbox.com/dmarc/details/arc/dmarc-authenticated-received-chain

Also, your lugod.org DMARC record is a bit weak:
https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3alugod.org&run=toolpage

If gmail is seeing a bunch of invalid DKIM/SPF or weak DMARC they might 
be reacting to those.
https://support.google.com/a/answer/81126?hl=en#requirements-5k&zippy=%2Crequirements-for-sending-or-more-messages-per-day
(Though maybe your list does not send 5000 messages per day to gmail 
users ? Maybe it depends on how busy the list might be. Look at the 
requirements.)

A smallish thing that most mail servers do not care too much about:
Header of receiving mail server show (abbreviated)
Received: from lists.lugod.org ([138.197.203.91])

$ dig +short -x 138.197.203.91
lugod.org.

$ dig +short lists.lugod.org
138.197.203.91

Many (most?) mail servers will find them "close enough" when the IP 
claimed name and connecting IP match A/AAAA record in a single DNS 
lookup, while some might require the PTR FQDN to match the same exact 
name instead of being a substring.

The forward A record does not explicitly match the reverse PTR for IPv4 
re in addr arpa.
Some mail server admins want to have the resolution of the given 
HELO/EHLO into IP address of A or AAAA provide addresses that when 
checked for PTR result in the same string used for HELO/EHLO .

Are you using "opendkim" to generate sigs for messages that are "from" 
*@lugod.org ?
Check for updates:
https://nvd.nist.gov/vuln/detail/CVE-2022-48521

Basically, OpenDKIM hasn't seen an update to their repo since 2015,
https://sourceforge.net/projects/opendkim/files/

Many *NIX vendors have taken to applying patches for changes to the last 
known published version, then bump the package version and leave the 
service version stuck in the past. Check your Linux vendor's patch 
history to see if they have maintained patches. I think Hardened BSD 
ports for opendkim is up to 18 additional alterations to pkg since 2015. 
(Oh. Is it s bad word to bring up a BSD on a Linux mailing list? Sorry 
about that, :-)

A suggestion for you all to test specific to gmail.com?
Someone create or use a gmail.com account for email and have it 
subscribe to "vox"
Get someone else to send mail to the "vox" list as a test message from a 
totally different domain: not gmail.com and not lugod.org.
Use a desktop/laptop web browser, and go back to you gmail.com account 
that was subscribed, look for the message your accomplice sent, and 
select it.
In the message view for that test message, look at near the "top right" 
of the message where you may see:

$DATE_VALUE_STRING [a star icon to favorite this message] [an emoji 
icon] [a reply-to icon]

In that line, to the far right notice the "options" with 3 squared dots 
arranged in a vertical line. Select that option.
A new view of the message should appear with useful header lines:
SPF: (and status if any)
DKIM: (and status if any)

You can use that to help you see what gmail is finding when users send 
email from their own domains to the vox list.
Let gmail.com tell you how email messages relayed to the list are 
busted.

HTH. I'm going back to hiding in the shadows.

Hopefully you find something above this point useful.

Good luck!


On 2024-03-09 12:07, Bill Kendrick wrote:
> I just received about 3 dozen "unsubscribe" notifications
> from Mailman...
> 
>   <blah>@gmail.com has been removed from vox-tech.
> 
> What needs to be done to make Gmail happy and stop unsubscribing
> people like this?  It's been going on for... years?... just little
> bursts of people being dropped from the list now and then.
> 
> Being 2 states north, I don't have a lot of skin in the game here
> at LUGOD, but I do feel it's a shame for people to be forcefully
> disconnected from their social club; it doesn't help them, and it
> doesn't help the dwindling number of remaining members. >:^/

More information about the vox mailing list