[vox] So how do we make Gmail happy & get people back on these lists? :(

dugan at passwall.com dugan at passwall.com
Sun Mar 10 11:48:41 PDT 2024 

More confirmation of what I typed...
I setup my DMARC record in DNS to report to me 100% of results for pass, 
fail, with disposition.
A small number of mail service providers send these email messages.
gmail.com is one of them.

An extract of the email from gmail.com on dkim/spf results shows the 
lugod.org IPv4 IP address with this:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
   <report_metadata>
     <org_name>google.com</org_name>
     <email>noreply-dmarc-support at google.com</email>
     
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
     <report_id>2342636709767431851</report_id>
     <date_range>
       <begin>1709942400</begin>
       <end>1710028799</end>
     </date_range>
   </report_metadata>
   <policy_published>
     <domain>passwall.com</domain>
     <adkim>r</adkim>
     <aspf>r</aspf>
     <p>quarantine</p>
     <sp>quarantine</sp>
     <pct>100</pct>
     <np>quarantine</np>
   </policy_published>
...
   <record>
     <row>
       <source_ip>138.197.203.91</source_ip>
       <count>4</count>
       <policy_evaluated>
         <disposition>quarantine</disposition>
         <dkim>fail</dkim>
         <spf>fail</spf>
       </policy_evaluated>
     </row>
     <identifiers>
       <header_from>passwall.com</header_from>
     </identifiers>
     <auth_results>
       <dkim>
         <domain>passwall.com</domain>
         <result>fail</result>
         <selector>2048-mail2024</selector>
       </dkim>
       <spf>
         <domain>lists.lugod.org</domain>
         <result>none</result>
       </spf>
     </auth_results>
   </record>
...
</feedback>

The sending domain I use has an SPF record is set to "PASS" for only my 
IP addresses, but treat all others as "Neutral"
Some ISP/mail services choose to treat "Neutral" as "Fail" but when DKIM 
passes, the neutral result in SPF still allows email to pass.

The DKIM issue is the larger. The email message I sent was plain-text 
ASCII which included headers:
"Content-Type: text/plain; charset=US-ASCII; format=flowed"
"Content-Transfer-Encoding: 7bit"

I "BCC"-ed to another email server the message where I replied, and that 
message arrived with what I composed and sent:
"Content-Type: text/plain; charset=US-ASCII; format=flowed"
"Content-Transfer-Encoding: 7bit"

The email message I received back from the list base64 encoded the body 
of my ASCII content and switched to UTF-8:
Content-Transfer-Encoding: base64
Content-Type: text/plain; charset="utf-8"; Format="flowed"

I'd bet that encoding a plain-text body to Base64 body and sending that 
instead of the plain-text will be treated as failing DKIM check for 
body.

The "Subject:" line change would likely result in a FAIL for DKIM check 
for headers for the "first" message in a thread being sent to the the 
vox mailing list, because many/most DKIM signing include checking 
To/From/Subject lines for changes, and if the sender computes a sent 
message with "Subject: test" and the mailing list alters the messages to 
"Subject: [vox] test" that would break the original sender's DKIM sig.

However, for those that reply to the subject-altered message would 
probably not suffer the same risk with subject-line-alteration breaking 
DKIM sigs.

So, yeah, gmail.com confirmed in their DMARC report that they found the 
message(s) I sent to the VOX list as failing DKIM checks.

Good luck!


On 2024-03-09 23:48, dugan at passwall.com wrote:
> Heya Bill!
> 
> It looks like you may have a few issues.
> 
> When setting up a mailing list, there is often a desire to "markup" 
> messages being sent back out, like altering the Subject line to add 
> "[vox]" which can work, but when the message is sent as the original 
> sender, and their DKIM sig is still in place in the message, if their 
> computer DKIM sig includes subject line, then the list relaying the 
> altered message "as" the user shows up like these sample partial 
> headers from recent list email messages:
> 
> 
> Authentication-Results: lists.lugod.org; dkim=fail
>     reason="verification failed; unprotected key"
>     header.d=gmail.com header.i=@gmail.com header.b=BCrHHoXA;
> ...
> 
> Or:
> Authentication-Results: lists.lugod.org; dkim=fail
>     reason="verification failed; unprotected key"
>     header.d=sunsetsystems.com header.i=@sunsetsystems.com
> ...
> 
> One solution can be to have the list send all email message as a static 
> list sender (vox at lugod.org) and then re-compute a new DKIM sign with 
> that sender, and add a "reply-to" header to the original sender's email 
> address.
> Email messages "From" the account "vox at lugod.org" could then be signed 
> with lugod.org DKIM key even with altered subject line and get through 
> remote DKIM checks, but if spam is relayed, then your lugod.org domain 
> could be put on blacklists.
> 
> Another option which other lists consider using is "ARC" signing which 
> can allow you to preserve the "from" address matching the original 
> sender, but requires you to computer ARC signing process and retain the 
> received chain in process:
> https://mxtoolbox.com/dmarc/details/arc/dmarc-authenticated-received-chain
> 
> Also, your lugod.org DMARC record is a bit weak:
> https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3alugod.org&run=toolpage
> 
> If gmail is seeing a bunch of invalid DKIM/SPF or weak DMARC they might 
> be reacting to those.
> https://support.google.com/a/answer/81126?hl=en#requirements-5k&zippy=%2Crequirements-for-sending-or-more-messages-per-day
> (Though maybe your list does not send 5000 messages per day to gmail 
> users ? Maybe it depends on how busy the list might be. Look at the 
> requirements.)
> 
> A smallish thing that most mail servers do not care too much about:
> Header of receiving mail server show (abbreviated)
> Received: from lists.lugod.org ([138.197.203.91])
> 
> $ dig +short -x 138.197.203.91
> lugod.org.
> 
> $ dig +short lists.lugod.org
> 138.197.203.91
> 
> Many (most?) mail servers will find them "close enough" when the IP 
> claimed name and connecting IP match A/AAAA record in a single DNS 
> lookup, while some might require the PTR FQDN to match the same exact 
> name instead of being a substring.
> 
> The forward A record does not explicitly match the reverse PTR for IPv4 
> re in addr arpa.
> Some mail server admins want to have the resolution of the given 
> HELO/EHLO into IP address of A or AAAA provide addresses that when 
> checked for PTR result in the same string used for HELO/EHLO .
> 
> Are you using "opendkim" to generate sigs for messages that are "from" 
> *@lugod.org ?
> Check for updates:
> https://nvd.nist.gov/vuln/detail/CVE-2022-48521
> 
> Basically, OpenDKIM hasn't seen an update to their repo since 2015,
> https://sourceforge.net/projects/opendkim/files/
> 
> Many *NIX vendors have taken to applying patches for changes to the 
> last known published version, then bump the package version and leave 
> the service version stuck in the past. Check your Linux vendor's patch 
> history to see if they have maintained patches. I think Hardened BSD 
> ports for opendkim is up to 18 additional alterations to pkg since 
> 2015. (Oh. Is it s bad word to bring up a BSD on a Linux mailing list? 
> Sorry about that, :-)
> 
> A suggestion for you all to test specific to gmail.com?
> Someone create or use a gmail.com account for email and have it 
> subscribe to "vox"
> Get someone else to send mail to the "vox" list as a test message from 
> a totally different domain: not gmail.com and not lugod.org.
> Use a desktop/laptop web browser, and go back to you gmail.com account 
> that was subscribed, look for the message your accomplice sent, and 
> select it.
> In the message view for that test message, look at near the "top right" 
> of the message where you may see:
> 
> $DATE_VALUE_STRING [a star icon to favorite this message] [an emoji 
> icon] [a reply-to icon]
> 
> In that line, to the far right notice the "options" with 3 squared dots 
> arranged in a vertical line. Select that option.

Chose "Show Original" in this options drop-down list.

> A new view of the message should appear with useful header lines:
> SPF: (and status if any)
> DKIM: (and status if any)
> 
> You can use that to help you see what gmail is finding when users send 
> email from their own domains to the vox list.
> Let gmail.com tell you how email messages relayed to the list are 
> busted.
> 
> HTH. I'm going back to hiding in the shadows.
> 
> Hopefully you find something above this point useful.
> 
> Good luck!
> 
> 
> On 2024-03-09 12:07, Bill Kendrick wrote:
>> I just received about 3 dozen "unsubscribe" notifications
>> from Mailman...
>> 
>>   <blah>@gmail.com has been removed from vox-tech.
>> 
>> What needs to be done to make Gmail happy and stop unsubscribing
>> people like this?  It's been going on for... years?... just little
>> bursts of people being dropped from the list now and then.
>> 
>> Being 2 states north, I don't have a lot of skin in the game here
>> at LUGOD, but I do feel it's a shame for people to be forcefully
>> disconnected from their social club; it doesn't help them, and it
>> doesn't help the dwindling number of remaining members. >:^/
> _______________________________________________
> vox mailing list
> vox at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox

More information about the vox mailing list