Lev Serebryakov
2022-Feb-12 11:05 UTC
Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 11.02.2022 16:31, Marc wrote:>> Problem is, I need to unpack each of them to be sure, that these are >> false positives and I'm afraid, that it could lower reputation of my mail >> server IP address with major providers (like Google Mail). >> > > How can you get a lower reputation? Afaik dmarc is just signing your outgoing messages.DKIM is signing of headers. DMARC is policy (like "This domain must sign all messages with DKIM, no exceptions, and has strict SFP") and reporting mechanism for other hosts ("We get mail from you and this message violates declared policy of your domain"). As I get these reports, it means that messages from "my domain" (really, forwarded by mailing list software) violate policies set by my domain. It means, my domain is compromised somehow. -- // Black Lion AKA Lev Serebryakov
hi at zakaria.website
2022-Sep-13 12:03 UTC
Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-12 11:05, Lev Serebryakov wrote:> On 11.02.2022 16:31, Marc wrote: > >>> Problem is, I need to unpack each of them to be sure, that these >>> are >>> false positives and I'm afraid, that it could lower reputation of my >>> mail >>> server IP address with major providers (like Google Mail). >>> >> >> How can you get a lower reputation? Afaik dmarc is just signing your >> outgoing messages. > DKIM is signing of headers. DMARC is policy (like "This domain must > sign all messages with DKIM, no exceptions, and has strict SFP") and > reporting mechanism for other hosts ("We get mail from you and this > message violates declared policy of your domain"). > > As I get these reports, it means that messages from "my domain" > (really, forwarded by mailing list software) violate policies set by my > domain. It means, my domain is compromised somehow.An update. I tried to implement a workaround for mailing lists transporting of emails which breaks DKIM yet found way to an avail. I checked headers in mailing like the List-Id and I tried to ignore signing if any email contains such header and didn't make difference, given the issue its with verifying DKIM. I noticed all failing DKIM verification emails sent by me and coming back from dovecot, contains two DKIM-Signature header, one from me and one from dovecot and it seems if we can set the MTA to verify all DKIM-Signature headers present in emails that contains List-Id header i.e. from Mailing List, and requires perhaps the signature placed in the order of headers, before the recent at least to must pass Signature Verification. Have anyone managed to configure EXIM to verify more than one DKIM Signature header?