Signing outbound list mail with OpenDKIM

For my server running the discussion mailing lists that I host, I'm running OpenDKIM, OpenDMARC and Postfix on Ubuntu. I run a custom mailing list manager that I wrote myself; I keep telling myself that eventually I'll polish the code enough to share it with the world.

I wanted all posts to the mailing list to be signed with the DKIM signature of my mailing list domain name. Any DKIM signature the message was initially signed with when submitted to the list is rendered invalid by the header changes my mailing list software makes before distributing the posted message to all subscribers. Thus, mail would have been distributed to subscribers either with no signature or with a now failing signature. I feel strongly enough about email authentication to be dissatisfied by that; I want all mailing list messages to clearly demonstrate to the world that my server, my domain is responsible for the list mail.

To do this, I would in theory want to add OpenDKIM's "SenderMacro" directive to opendkim.conf. Except, support for SenderMacro is not compiled into OpenDKIM by default. No big deal, right? My brain shouldn't have atrophied too much from when I had a day job as a unix system administrator; I can just recompile it. But, it turns out, compiling OpenDKIM from source on Ubuntu is a hugely frustrating pain in the ass, with a ton of dependencies that I had to solve for manually, and package names that correspond to the absent library names in almost no way whatsoever. And even after I got it all compiled, there still ended up being a path issue with locating libraries at runtime that I just was not able to figure out. In theory I know how to fix that, but in practice, it just didn't work no matter what I did.

But then I stumbled across a much simpler way to do this: The "SenderHeaders" directive. The OpenDKIM README has a helpful section on mailing lists, where it explains that you can add this directive and set it to "Sender, From" to tell OpenDKIM, when deciding whether or not to sign the mail, look first at the domain in the sender header, then if that doesn't match the list of domains you sign, look at the From address domain to find a match.

My mailing list manager software doesn't use a sender header. I could easily add one, but I don't really like how that displays in the user interface of certain MUAs. Thankfully, the OpenDKIM documentation suggests an alternative header: "List-Post." Most mailing list manager software, including mine, includes a header designating what address you send to if you want to post a message to the mailing list. (The header looks like this: "List-Post: <>.")

I decided to give that a try and updated the SenderHeaders directive to read "SenderHeaders List-Post,Sender,From" and it worked! OpenDKIM looks at the List-Post header, sees a domain there that I can sign mail for, and it signs the mail with the key for that domain. The net result, all messages to the mailing list a signed with my DKIM key automatically.

1 comment:

  1. Al, u da man! Thank you *so* much! I've been bangin' my head against the wall for I don't know how long trying to get my Opendkim key to pass validation on my Mailman list. Tried what u said & it took off like a greased pig! Like I said, u da man!


Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.