hi at zakaria.website
2022-Sep-13 12:03 UTC
Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
On 2022-02-12 11:05, Lev Serebryakov wrote:> On 11.02.2022 16:31, Marc wrote: > >>> Problem is, I need to unpack each of them to be sure, that these >>> are >>> false positives and I'm afraid, that it could lower reputation of my >>> mail >>> server IP address with major providers (like Google Mail). >>> >> >> How can you get a lower reputation? Afaik dmarc is just signing your >> outgoing messages. > DKIM is signing of headers. DMARC is policy (like "This domain must > sign all messages with DKIM, no exceptions, and has strict SFP") and > reporting mechanism for other hosts ("We get mail from you and this > message violates declared policy of your domain"). > > As I get these reports, it means that messages from "my domain" > (really, forwarded by mailing list software) violate policies set by my > domain. It means, my domain is compromised somehow.An update. I tried to implement a workaround for mailing lists transporting of emails which breaks DKIM yet found way to an avail. I checked headers in mailing like the List-Id and I tried to ignore signing if any email contains such header and didn't make difference, given the issue its with verifying DKIM. I noticed all failing DKIM verification emails sent by me and coming back from dovecot, contains two DKIM-Signature header, one from me and one from dovecot and it seems if we can set the MTA to verify all DKIM-Signature headers present in emails that contains List-Id header i.e. from Mailing List, and requires perhaps the signature placed in the order of headers, before the recent at least to must pass Signature Verification. Have anyone managed to configure EXIM to verify more than one DKIM Signature header?
Benny Pedersen
2022-Sep-13 13:10 UTC
Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC
hi at zakaria.website skrev den 2022-09-13 14:03:> least to must pass Signature Verification. Have anyone managed to > configure EXIM to verify more than one DKIM Signature header?postfix smtpd_milter_maps with a list of ips that is known maillists ips is best for software that are brokken, use DISABLE as results pr ip that is maillist ips, that will disabled opendmarc and other milters when client ip is a maillist, postfix be happy until trusted domain have updated and stable milters use rspamd if possible, with is imho the only stable milters with solve it all, i hate to write that but it might be right for time being, while spamassassin v4 is on the way