DMARC problems with some emails from the list

[Benny Pedersen]

On 2021-03-08 10:34, Juri Haberland wrote:

> I have looked at some of the mails that you flagged as problematic and 
> yes,
> those mails failed the DKIM check, even though this list seams to work
> without invalidating DKIM signatures.

checked your dkim signing, it have signed 2 Date headers, 2 From, 2 
Subject, solve this :=)

and you have simple in C= tag, please check double signed headers

it does not dkim pass in perl Mail::DKIM test in spamassassin

> The problem of these specific mails is the fact, that they sign one or 
> more
> of the following headers:
> - Reply-To
> - Sender
> - List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
> List-Owner, List-Archive

this comes from dkim signing ALL mails not just ORIGINATED emails, 
maillist should really stop sign emails, and only do the ARC sealing and 
ARC sign it

if maillist send ORIGINNATING emails it should be signed as dkim and not 
ARC sealed

its common sense imho

too many headers signed makes dkim break

> Of course these headers *will* be altered by most list software out 
> there,
> so the senders have to change the way they sign their mails.

altering will happend hopefully AFTER ARC sealing, so it still can be 
verify from ARC that the originated email did pass or fail in someway, 
in that case it works as designed

> Your only option is to either trust the ARC-headers or to whitelist all
> amil from this mailing list.

tell dmarc to not test maillists, but it should pass so no need