On 2021-03-08 10:34, Juri Haberland wrote:
> I have looked at some of the mails that you flagged as problematic and
> yes,
> those mails failed the DKIM check, even though this list seams to work
> without invalidating DKIM signatures.
checked your dkim signing, it have signed 2 Date headers, 2 From, 2
Subject, solve this :=)
and you have simple in C= tag, please check double signed headers
it does not dkim pass in perl Mail::DKIM test in spamassassin
> The problem of these specific mails is the fact, that they sign one or
> more
> of the following headers:
> - Reply-To
> - Sender
> - List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
> List-Owner, List-Archive
this comes from dkim signing ALL mails not just ORIGINATED emails,
maillist should really stop sign emails, and only do the ARC sealing and
ARC sign it
if maillist send ORIGINNATING emails it should be signed as dkim and not
ARC sealed
its common sense imho
too many headers signed makes dkim break
> Of course these headers *will* be altered by most list software out
> there,
> so the senders have to change the way they sign their mails.
altering will happend hopefully AFTER ARC sealing, so it still can be
verify from ARC that the originated email did pass or fail in someway,
in that case it works as designed
> Your only option is to either trust the ARC-headers or to whitelist all
> amil from this mailing list.
tell dmarc to not test maillists, but it should pass so no need