DMARC problems with some emails from the list

Juri Haberland juri at koschikode.com
Mon Mar 8 14:21:21 EET 2021 

On 08.03.21 11:38, Benny Pedersen wrote:
> On 2021-03-08 10:34, Juri Haberland wrote:

> checked your dkim signing, it have signed 2 Date headers, 2 From, 2 
> Subject, solve this :=)

Benny, it's not about *my* DKIM signature. And it is perfectly legal and
has a special purpose to double sign some headers, called oversigning.

> and you have simple in C= tag, please check double signed headers
> 
> it does not dkim pass in perl Mail::DKIM test in spamassassin

If my signature didn't verify at your end, then it might be a problem at
your end as my DKIM signature verified at the mailing list host (as you can
see from from the ARC-Authentication-Results header and it still verified
at my host when it came back from the list (both Spamassassin and
OpenDKIM). OTOH if more people have problems with my DKIM signature then
I'd like to hear that.

>> The problem of these specific mails is the fact, that they sign one or 
>> more
>> of the following headers:
>> - Reply-To
>> - Sender
>> - List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
>> List-Owner, List-Archive
> 
> this comes from dkim signing ALL mails not just ORIGINATED emails, 
> maillist should really stop sign emails, and only do the ARC sealing and 
> ARC sign it

This has nothing to do with it! The problem arises at the OP's end...
> if maillist send ORIGINNATING emails it should be signed as dkim and not 
> ARC sealed
> 
> its common sense imho
> 
> too many headers signed makes dkim break

Yes, that is the problem here, but that cannot be fixed by the people
running the ML, only be the original authors, as it concerns the DKIM
signatures of the original authors.

>> Of course these headers *will* be altered by most list software out 
>> there,
>> so the senders have to change the way they sign their mails.
> 
> altering will happend hopefully AFTER ARC sealing, so it still can be 
> verify from ARC that the originated email did pass or fail in someway, 
> in that case it works as designed

IMHO altering/adding those headers will happen *before* ARC signing or else
the ARC signature will break immediately and will be useless...

>> Your only option is to either trust the ARC-headers or to whitelist all
>> amil from this mailing list.
> 
> tell dmarc to not test maillists, but it should pass so no need

???

Regards,
  Juri

More information about the dovecot mailing list