Mozilla list server should rewrite (or remove) DKIM headers, if it modifies the body (or headers) of the message

Assigned to


Infrastructure & Operations
Infrastructure: Mail
7 years ago
5 years ago


(Reporter: Ehsan, Assigned: limed)





7 years ago
Otherwise, messages with valid DKIM headers which are forwarded through our list server could be misclassified as spam because of having invalid DKIM headers.

This happens when posting to the lists from gmail for example.
Over to Dave for comments.
Assignee: server-ops → justdave

Comment 2

7 years ago
Note that DKIM signatures are calculated based on some headers and the body.
So, changing headers might be the culprit, too.

I performed a couple of tests, minimizing a failing message.

Even after removing the "plaintext signature" (the trailing 4 lines with the listname and link to mailman), the DKIM signature verification still failed.

As a next test, I asked Ehsan to send me a minimal test message from gmail.
What I received was a multipart (html, plain) message.

However, the messages frmo Ehsan distributed by the mailinglist are plain, only.

I suspect that mailman stripped away the html part, and resent only the plain part, and obviously modified both the body and the content-type/-encoding headers.


Related: jcranmer on IRC said:

"there is apparently a config in mailman that can tell it to strip DKIM headers"

Also, he gave me a link to this bug:


7 years ago
Summary: Mozilla list server should rewrite DKIM headers because it modifies the body of the message → Mozilla list server should rewrite (or remove) DKIM headers, if it modifies the body (or headers) of the message

Comment 4

7 years ago
I think we should go for the hotfix to strip the header.

A complete solution would require to "verify signature", remember status, check if rewrite message is necessary. if no rewrite necessary, keep the dkim. Else: strip dkim, if there was a valid signature, produce a new dkim signature.

Until we have that, we should strip.

Comment 5

7 years ago
Please let me add,

my hosted spam filter service sends bounces to, most likely because of this bug.

The result is that notifies me every couple of days, and requests me to confirm I want to remain as a subscriber.

Comment 6

7 years ago
It appears that Gmail has become more aggreessive with its warnings.

see example:

Comment 7

7 years ago
Interesting. I just started seeing "via" in Gmail, but I haven't seen the stronger "may not have been sent by" warning yet.


7 years ago
Assignee: justdave → rbryce

Comment 8

7 years ago
If you're using mailman, the following might be sufficient to fix this bug:

in /etc/mailman/
add this line:


Comment 9

6 years ago
> in /etc/mailman/
> add this line:

What do you think about this proposal?
Component: Server Operations → Server Operations: Infrastructure
Assignee: rbryce → server-ops-infra
OS: Mac OS X → All
QA Contact: mrz → jdow
Hardware: x86 → All


6 years ago
Assignee: server-ops-infra → limed
Component: Server Operations: Infrastructure → Infrastructure: Other
Product: → Infrastructure & Operations


5 years ago
Component: Infrastructure: Other → Infrastructure: Mail
QA Contact: jdow → limed
You need to log in before you can comment on or make changes to this bug.