On 2021-03-08 10:34, Juri Haberland wrote:
I have looked at some of the mails that you flagged as problematic and yes, those mails failed the DKIM check, even though this list seams to work without invalidating DKIM signatures.
checked your dkim signing, it have signed 2 Date headers, 2 From, 2 Subject, solve this :=)
and you have simple in C= tag, please check double signed headers
it does not dkim pass in perl Mail::DKIM test in spamassassin
The problem of these specific mails is the fact, that they sign one or more of the following headers:
- Reply-To
- Sender
- List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
this comes from dkim signing ALL mails not just ORIGINATED emails, maillist should really stop sign emails, and only do the ARC sealing and ARC sign it
if maillist send ORIGINNATING emails it should be signed as dkim and not ARC sealed
its common sense imho
too many headers signed makes dkim break
Of course these headers *will* be altered by most list software out there, so the senders have to change the way they sign their mails.
altering will happend hopefully AFTER ARC sealing, so it still can be verify from ARC that the originated email did pass or fail in someway, in that case it works as designed
Your only option is to either trust the ARC-headers or to whitelist all amil from this mailing list.
tell dmarc to not test maillists, but it should pass so no need