Favicon for LMU Munich

[dbeyer]

Many thanks for this wonderful tool to make the mail system safer!

It would be nice to include the icons for LMU Munich (Ludwig-Maximilians-Universität München) and some of its institutes:

lmu.de -> https://www.ifi.lmu.de/favicon.ico
ifi.lmu.de -> https://www.ifi.lmu.de/favicon.ico
sosy.ifi.lmu.de -> https://www.ifi.lmu.de/favicon.ico
sosy-lab.org -> https://www.sosy-lab.org/favicon.ico

[lieser]

The icons for all institutes seem to be the same so I will only add one icon (for both the lmu.de and sosy-lab.org domain). The icon will be also added for all sub-domains.

Can you please confirm that you posted the signing domains, e.g. that mails from ...@ifi.lmu.de are signed by ifi.lmu.de?

Note that unless you are aware that some mails from lmu.de/sosy-lab.org or one of its sub-domains are not signed by DKIM I will also add a sign rule for lmu.de/sosy-lab.org.

[dbeyer]

@lieser Many thanks for your super-quick response.

1. Yes, they all belong to LMU Munich and use the same favicon.

2. Only sosy-lab.org is always signing, the others not yet.
   According to dig TXT _dmarc.sosy-lab.org, mails for that domain must be signed and otherwise should be rejected.

[lieser]

Thanks for the additional information.

A note about DMARC:
Even if the DMARC policy is set to reject, it does not mean mail must be signed by DKIM. It only means DKIM or SPF needs to be valid. So as long as SPF works, DMARC will not complain about an unsigned DKIM mail.

[dodmi]

I'm aware, that @stud.ifi.lmu.de and @cip.ifi.lmu.de are sub domains for student's mail accounts. They should not get the LMU icon, in my opinion, as students don't represent the institute in general. At the moment I don't get a dkim signature on these domains.

[dbeyer]

I'm aware, that @stud.ifi.lmu.de and @cip.ifi.lmu.de are sub domains for student's mail accounts. They should not get the LMU icon, in my opinion, as students don't represent the institute in general. At the moment I don't get a dkim signature on these domains.

But if the mails are not signed, then the favicon is not shown, correct?
And if those mails are signed by a DKIM key from ifi.lmu.de, then why not showing the LMU favicon for the domain?

Is it possible to show the icon only for those domains that are explicitly mentioned in my first comment above, and exclude all other subdomains for now?

[dodmi]

Correct, the favicon will only be shown, if there's a valid dkim signature.

As far as I know, the favicon depends on the signing domain, not the mail domain. If the SDID matches exactly or there's a base domain in the database, the corresponding favicon will be shown. (i.e. ifi.lmu.de would get the icon from lmu.de if there's no explicit entry for ifi.lmu.de).
At the moment, that's not an issue. In the future maybe. This depends on the dkim implementation at the LMU, as stud.ifi.lmu.de will get the icon from ifi.lmu.de or lmu.de if the SDID would be stud.ifi.lmu.de.
Showing the LMU icon for the mail domain stud.ifi.lmu.de would be almost like showing a GMX icon for the mail domain GMX.de. Anyone could get a GMX address, but most people don't represent the company GMX.

The comment about unsigned sub domains is also important for the default rules added.

[lieser]

the favicon will only be shown, if there's a valid dkim signature.

Although that is correct, if we don't want an icon to be shown for e.g. @stud.ifi.lmu.de we should not rely on it currently not having a DKIM signature.

As far as I know, the favicon depends on the signing domain, not the mail domain. If the SDID matches exactly or there's a base domain in the database, the corresponding favicon will be shown. (i.e. ifi.lmu.de would get the icon from lmu.de if there's no explicit entry for ifi.lmu.de).

That is correct. There is also no current way to explicitly exclude a sub-domain from getting an icon. Just overwriting is possible. And would only match on the exact sub-domain, and not a sub-domain of it (e.g. foo.ifi.lmu.de in your example).

Is it possible to show the icon only for those domains that are explicitly mentioned in my first comment above, and exclude all other subdomains for now?

No this is currently not possible. But if we have a use case for it it should maybe be implemented as part of #107.

Showing the LMU icon for the mail domain stud.ifi.lmu.de would be almost like showing a GMX icon for the mail domain GMX.de. Anyone could get a GMX address, but most people don't represent the company GMX.

I agree that this looks similar to the email provider example (e.g. GMX). But I think this is a little more in the Grey area. And not something there a clear policy exist for so far. E.g. both uni-bonn.de and uni-koeln.de are currently included in the favicon list, and I could imaging that students get addresses from the same domain.

Let me elaborate a little why I think this is different from an email provider:

1. I agree that a student in most cases will not official represent the university. But the connection between a student and the university is still stronger than the connection between an email provider and it's customer
2. Unlike in an email provider a student will probably not be able to chose his own address, and should therefore not be able make it look like an official support, payment or similar address.
3. In the case of @stud.ifi.lmu.de they even have an address from a sub-domain clearly identifying them as a student.

I'm personally undecided how we should handle this. And if we want/need to establish a clear policy for it or decide it case by case.

As a reference, I recently wrote down some high level guidelines for favicon in https://github.com/lieser/dkim_verifier/wiki/Contribute#additional-requirements-for-favicon.

[dodmi]

Well, it's up to you @lieser... I guess we won't be able to get all sub domains for students at the LMU.
"ifi" is the sub domain for the "Institut für Informatik" at the LMU. And at least at my time, there was no standard between the various institutes.
But since there are already some examples for universities, I'd handle it similar and simply add "lmu.de" with the favicon.

[lieser]

The icon and rules are now added for lmu.de and sosy-lab.org.

I decided to add the lmu.de for the complete domain. As @dodmi mentioned it would be hard anyway to get all sub domains for students. And even if we had that list, currently it would be not even supported to show the icon for the top domain but not other sub domains.

But please let me know if anyone has concerns with that decision, and thinks that students will be to easily confused as doing official communication on behalf of the university.
In general I want to keep the favicon as a quick way to establish trust.