DKIM won't sign for arbitrary "From" address

[Alex-Jordan]

I have a situation with the RS server that many WW server admins would not run into. For most other installations, all user emails have the same @domain.edu, and it is a domain where the WW server is a subdomain. With the RS server, this is not the case.

For some institutions, emails from the WW server are rejected if they are not DKIM signed. Normally, it's easy to sign because there is just one domain.edu to worry about, and it's actually a domain you have authority with. But when the "From" address is a student's [email protected] then I can't (shouldn't?) set things up to give a DKIM signature for all the possibilities for whatever.edu.

I've tested in a RS WW course, that if I set my email address to [email protected] and send a message to a mail testing service, it is not DKIM signed. But if I change my email to [email protected] then it will be signed. This makes sense...opendkim is configured to sign for webwork-hosting.runestone.academy :)

So the issue is that I need the WW server to send emails from a webwork-hosting.runestone.academy address, but there are two immediate issues with that.

1. The reply-to should be the sender's actual email address. OK, we can probably make that happen.
2. The recipient (usually the instructor) is going to see they have an email from [email protected] instead of from the student. How confusing will this be for them?

As I think about this, it starts to seem "wrong" that we send emails that are "from" an institution.edu address. Of course it's fine when you work at that institution and the institutional mail server is actually the mail server you are using, and the admin supports your cause. But RS is using postfix to send mail, and can't be the only WW server where this DKIM signing issue is an issue.

Note that most RS subscribing schools have "low" standards and the emails do get through, even without a DKIM signature. It's a few (but growing number) that are bouncing the messages back.

Unless people have good ideas, I think I will have to alter the RS WW server to send from some generic webwork-hosting.runestone.academy address and make sure the reply-to is the student address.

[Alex-Jordan]

Reading this now: https://security.stackexchange.com/questions/264823/dkim-from-another-domain-how-does-it-work

[Alex-Jordan]

The issue here will sooner or later affect all WeBWorK servers that allow students to set their own email address. If a student sets their email address to [email protected] then when they send an email instructor message, WeBWorK will try to send it "from" [email protected]. There's no way the WW admin or school mail server admin will have known to arrange for such an address to be signed with DKIM, so the message will be sent unsigned. And the instructor is more and more likely to never receive that message.

See: https://postmarkapp.com/blog/2024-gmail-yahoo-email-requirements. Brad alerted me that this has been happening the past few months, and more and more universities (especially those that use Google for mail) have been affected. This explains why things were basically issue-free with the WW Runestone server and email the past year or so, but then suddenly for about a month or two I've had sporadic complaints of messages not getting through.

[Alex-Jordan]

Can others try an experiment? On a production server, create a course. Change your own email address to something like a gmail.com address that you own. (Anything that is clearly outside the scope of your university mail server.) Then go to a page and use Email Instructor to send yourself a message. When I do this, I get a page full of errors. It starts out as:

Failed to send message: 5.7.1 <[email protected]>: Sender address rejected: Mail from non-PCC addresses not allowed

It seems my school's smtp server is (wisely) not going to send a message that is "From" a gmail.com address. We don't allow students to change their WW email address here, but nothing would stop an instructor from changing to a different address if they wanted to. Well, nothing except errors like this.

I could also imagine a student in a course not having an email address, and typing it in at the time of sending their message. And typing their yahoo.com address or whatever. This is not uncommon on the RS server where a school wanted to keep their student emails out of an external database like RS. Since RS uses postfix and it's not configured restrictively like my school's smtp server, these get sent through. Although they do not get signed, and are more likely to be declared to be spam. (Well, not since yesterday, since I changed how RS sends emails.)

I'm not looking forward to this, but I think WW needs to redesign how it handles email. There are at least two models and we could try to support both, or just support the more versatile option.

1. site.conf would have a list of email domains that are approved. In my school's case, this would only be @pcc.edu. Any email entry would have to use a domain from this list. It's the server admin's job to make sure that the smtp server is willing to send out email that is "From" these domains.
2. (more versatile, what I am now doing with RS) WeBWorK only ever sends email "From" users like [email protected], [email protected], [email protected], etc. These can go out with appropriate ReplyTo addresses. Even the "From" can have a person's name on it. So your student could send you an Email Instructor message that is "From" Lester Student <[email protected]> with a reply-to address Lester Student <[email protected]>.

I've found four places email goes out:

1. Email Instructor
2. Instructor using the Email page to email students
3. Instructor getting a confirmation email after item 2 is completed
4. JITAR notification emails???

And I've been imagining (for a while now, with no action) email alerts to students about upcoming due dates on incomplete assignments, etc.

Anyway, it will be a big project. I don't want to get started without consensus on what the problem is and what the right model is to address it.