Request: Please sign this list's messages via DKIM or SPF

[Binarus]

Dave,

On 04.04.2016 16:32, Dave McMurtrie wrote:
> I completely agree.  I'll run this up the management chain and see if I
> can get approval.  Really, the ideal solution would be to set up a list
> server in the cyrusimap.org domain and handle it there because CMU
> management doesn't care what we do in that domain.  I'd love to do that,
> but I'm hesitant to foist that change on Cyrus users since info-cyrus
> has been on lists.andrew for so many years now.
> 
> Your input is appreciated, though.

Well, not being an expert in that area, my 2 cents:

I think I wouldn't move to another server, too (never touch a running system). But eventually you could forward all messages from lists.andrew to cyrusimap.org which then could sign and send them? That way you could keep the current server (nearly unaltered) for mailing list management, processing the received messages and sending messages. The only change would be to not directly send messages, but to forward them.

Before sending, cyrusimap.org should rewrite the envelope-from and from, making them something like "cyrus-imapd-list at cyrusimap.org". The receiving MTAs could then get the public DKIM key from cyrusimap.org and check if the signature is valid, i.e. if the message actually has been sent by cyrusimap.org.

Or, even easier: Just add an appropriate SPF record to the DNS configuration of andrew.cmu.edu, and we could test what happens. Adding such record should get immediate approval by your management since it does not affect other DNS records or the mailing list server in any way. In other words, you would just have one more TXT record in your DNS which will not interfere with any other system component in any way. I strongly assume that this already would be sufficient.

Regards,

Binarus