[colug-432] google spam filters eating our threads

Thu Feb 9 21:29:07 EST 2017

On Thu, Feb 09, 2017 at 11:33:35AM -0500, Angelo McComis wrote:
> On Thu, Feb 9, 2017 at 11:11 AM, Rob Funk <rfunk at funknet.net> wrote:
> 
> > But when I send a message
> > directly to Gmail, the DKIM signature is valid. If there's something I can
> > do on my end to make the list not break DKIM I'm all ears.
> >
> 
> Rob,
> 
> DKIM is explicitly designed to ensure the authenticity of a mail sender to
> the mail recipient.  Sending a message through a mailing list manager
> which, among other things, adds a footer, adds extra headers, and so on,
> does tend to invlalidate the DKIM signatures, and that's not entirely seen
> as an incorrect outcome. It "should" invalidate it because technically, the
> message has (although innocently) been altered.  I have not read the entire
> RFC on this, but this link:
> 
> https://tools.ietf.org/html/rfc6377
> 
> ...it contains best practices for DKIM and Mailing Lists.
> 
> Angelo

Let's face it:  DKIM badly breaks two email mechanisms in common
use today:  Lists, and email forwarders (like ieee.net, arrl.net, etc.)
However, the big email magnets (gmail, yahoo, outlook/hotmail, and
a host of near misses, like aol) use it, and so we're stuck with it.
As a small email entity, I have to use it or my mail just won't get
accepted by the big guys.

And, believe it or not, it really works:  Once I implemented DMARC, I
started getting daily reports, and I was astounded at how much spam
was being propagated under the cboh.org domain.  It gave me a clearer
picture of why the big guys were reluctant to accept mail from me.
And given a month or so, that spam simple dwindled to nothing, as
DMARC made it email-non-grata.

In an earlier email, it was suggested I change the "-all" to "~all",
a softer option.  That might cure the problem here.  However, it also
might make things worse, if not for you, then for me.  Let me explain:
If I instruct the recipient email system to begrudgingly accept emails
not from my servers (because I post on lists such as this one), I am
telling them to accept *all* emails not from my servers, and that
includes all the real spam out there masquerading under my domain name.
This in itself tends to taint my domain.  (Actually, it seems to
vary based on who is using my domain name and how often they are spamming
with it.)  Thus, instead of my mail winding up in your spam folder, gmail
might elect not to accept it at all, and then it becomes *my* problem.
Strict DMARC may affect you, but it surely makes my life easier.

The DMARC people's solution is to have the mail exploder extract the
DMARC info (SPF and DKIM), alter the From header so it contains an
address in the local domain that maps to the sender, and then use it's
own credentials when it resends the emails.  Now, the list runners have
cried foul, and I can't disagree that they've gotten the shaft in this
deal, but that's pretty much the paradigm the world is moving to nowadays.
Yahoogroups uses this approach, and I understand that the latest list
servers have software designed to facilitate it.  (I must confess, I
gave up running email lists years ago for this and other reasons, so
I'm not up on the finer points of what is going on in this area.)
However, this is not a new problem:  It's been around for years and there
are (at least purported to be) fixes to list servers to deal with it.

In any event, I'm opting to keep my strict DMARC credentials and I guess
that leaves you stuck with having to fish my email out of your spam folder
if you want to read it.  (You do only have to do it once on gmail and
then it remembers, right?)

Sheesh, and once-upon-a-time email administration even used to be fun.

Rob