[plug] Mail domain auth (was: Re: Plug in the Pub?)

Thu Oct 23 23:55:23 AWST 2025

On Thu, 23 Oct 2025 at 11:50, mccabedj via plug <plug at plug.org.au> wrote:
>
> I don't see an issue with publishing the mail headers (attached) here. The most private things in the message were already published to this list.

I did make some changes to the mailman config during the upgrade, but
they would not have been activated for a message from gmail.com.

The mention of authentication refers to a system called DMARC, which
is intended to provide assurance that emails originate from where they
say they do. A message is considered "DMARC aligned" if one of the
following is true:

1. It was sent by a server approved by the sending domain, or
2. It has a valid DKIM signature (i.e. a cryptographic signature on a
hash of the message body and a selection of headers).

In general, mail forwarded by a traditional mailing list will fail
both of these: it fails (1) because it is being relayed by the PLUG
server, and it fails (2) because it has added "[plug]" to the subject
line and added a footer to the body which breaks the signature.

If a sending domain is using DMARC, it can pick one of three policies:

1. reject: receiving servers should reject messages that fail alignment
2. quarantine: receiving servers should treat alignment failure as possible spam
3. none: don't do anything special for messages failing alignment.

The first two policies are a problem, so that's where the new
mitigations kick in. For these messages, the "From:" header will be
set to the list address and the "Reply-To:" header will be set to the
original from address. Now the DMARC policy of the original sender is
irrelevant since the sender is plug.org.au.

It also means we can re-sign the message on its way out so it becomes
a DMARC aligned plug.org.au message.

Email from you and Harry trigger these mitigations because the sending
domains have quarantine or reject policies set:

$ host -t TXT _dmarc.proton.me
_dmarc.proton.me descriptive text "v=DMARC1; p=quarantine; fo=1;
aspf=s; adkim=s;"
$ host -t TXT _dmarc.decisions-and-designs.com.au
_dmarc.decisions-and-designs.com.au descriptive text "v=DMARC1;
p=reject; sp=none; rf=afrf; pct=100; ri=86400"

While gmail messages get the traditional behaviour because they have a
"none" policy:

$ host -t TXT _dmarc.gmail.com
_dmarc.gmail.com descriptive text "v=DMARC1; p=none; sp=quarantine;
rua=mailto:mailauth-reports at google.com"

I guess Proton is treating it as p=quarantine even though Google has
not asked it to.

We could configure Mailman to do the "From:" header munging for all
email, which would solve this.

I didn't make that change because I wanted a minimally invasive fix
for quarantine/reject policies. But perhaps the email landscape has
changed enough that it would be the right decision now.

James.