On 08.03.21 11:38, Benny Pedersen wrote:
On 2021-03-08 10:34, Juri Haberland wrote:
checked your dkim signing, it have signed 2 Date headers, 2 From, 2 Subject, solve this :=)
Benny, it's not about *my* DKIM signature. And it is perfectly legal and has a special purpose to double sign some headers, called oversigning.
and you have simple in C= tag, please check double signed headers
it does not dkim pass in perl Mail::DKIM test in spamassassin
If my signature didn't verify at your end, then it might be a problem at your end as my DKIM signature verified at the mailing list host (as you can see from from the ARC-Authentication-Results header and it still verified at my host when it came back from the list (both Spamassassin and OpenDKIM). OTOH if more people have problems with my DKIM signature then I'd like to hear that.
The problem of these specific mails is the fact, that they sign one or more of the following headers:
- Reply-To
- Sender
- List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
this comes from dkim signing ALL mails not just ORIGINATED emails, maillist should really stop sign emails, and only do the ARC sealing and ARC sign it
This has nothing to do with it! The problem arises at the OP's end...
if maillist send ORIGINNATING emails it should be signed as dkim and not ARC sealed
its common sense imho
too many headers signed makes dkim break
Yes, that is the problem here, but that cannot be fixed by the people running the ML, only be the original authors, as it concerns the DKIM signatures of the original authors.
Of course these headers *will* be altered by most list software out there, so the senders have to change the way they sign their mails.
altering will happend hopefully AFTER ARC sealing, so it still can be verify from ARC that the originated email did pass or fail in someway, in that case it works as designed
IMHO altering/adding those headers will happen *before* ARC signing or else the ARC signature will break immediately and will be useless...
Your only option is to either trust the ARC-headers or to whitelist all amil from this mailing list.
tell dmarc to not test maillists, but it should pass so no need
???
Regards, Juri