Jaco Kroon via dovecot skrev den 2026-03-30 13:39:
Hi Aki,
Right.
X-Spam-Status: No, score=-9.7 tagged_above=-999 required=5 tests=[AUTHRES_DKIM_NONE=1.5, AUTHRES_DMARC_PASS=-1.5, AUTHRES_SPF_PASS=-0.5, AWL=-8.040, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, KAM_ASCII_DIVIDERS=0.64, MAILING_LIST_MULTI=-0.1, RCVD_IN_DNSWL_MED=-2.3, RELAYCOUNTRY_BAD_ZA=1.5, RELAYCOUNTRY_GOOD=-0.5, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1] autolearn=no autolearn_force=no
as my spamassassin see it :)
On 2026/03/30 12:05, Aki Tuomi wrote:
On 30/03/2026 12:12 EEST Jaco Kroon via dovecot <dovecot@dovecot.org> wrote:
Hi,
It seems like the list system is breaking DKIM - triggering bounces, resulting in unsuscribes.
Is there recommendations on how to deal with this?
Looks like it relates 100% to the addition of the footer:
-------- Forwarded Message -------- Subject: dovecot mailing list probe message Date: Mon, 30 Mar 2026 06:32:58 +0000 From: dovecot-bounces+a190cb9ae5d94d8fa6e2af68fc964a7aaa13256b@dovecot.org To: jaco@uls.co.za
It seems like the list system is breaking DKIM - triggeringbounces, resulting in unsuscribes.
Is there recommendations on how to deal with this? Looks like it relates 100% to the addition of the footer:It's using ARC-Signing, but ofc no one supports that. DMARC/DKIM and mailing lists are super fun.
maillist could proactive reject if dmarc policy is not policy none
hopefully none are rejecting in dkim milters :/
Right. So looking at an example that did come through (Date: Mon, 30 Mar 2026 10:18:08 -0000; Message-ID: <177486588864.2363878.5248861545256115787@talvi.dovecot.org>), the original sender doesn't contain DKIM, so no ARC. There is, however, a new DKIM signature with d=dovecot.org (which does pass).
I think there is potential sender impact here too, since the mailer rewrites the From: email to dovecot@dovecot.org (which may affect DMARC related checks). Sorry, still trying to figure all of this out, but the number of DKIM failure's we're seeing overall are minimal.
Do you happen to have a good reference at hand you can point me to? Google isn't being particularly helpful right now (will keep trying), specifically related to the (I don't mind technical, but the RFCs on the matter does seem to beat my brain's abstract ability a bit - so slightly dumbed down technical version would be perfect, but not down to the "what it is" only level that most guides seems to be at.
Not sure if this is the specific message that was bounced, but looking at the exim logs for *an* example:
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy DKIM: signers=dovecot.org:open-xchange.com, cur=dovecot.org, status=pass, reason=, domain=dovecot.org, identity=, selector=mail, algo=rsa-sha256, canon_body=relaxed, canon_headers=relaxed 2026-03-30 12:26:27 1w79pC-000000005Fq-2soy DKIM: signers=dovecot.org:open-xchange.com, cur=open-xchange.com, status=fail, reason=bodyhash_mismatch, domain=open-xchange.com, identity=, selector=s1dus, algo=rsa-sha256, canon_body=relaxed, canon_headers=relaxed 2026-03-30 12:26:27 1w79pC-000000005Fq-2soy H=talvi.dovecot.org [94.237.105.223] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no rejected DKIM : DKIM failure for d=open-xchange.com s=s1dus: bodyhash_mismatch
So the first DKIM signature is status pass, the latter fails, so one strategy would be "at least one successful DKIM, or NO DKIM at all", there are ARC headers present here as per below:
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy H=talvi.dovecot.org [94.237.105.223] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no rejected DKIM : DKIM failure for d=open-xchange.com s=s1dus: bodyhash_mismatch Envelope-from: <dovecot-bounces+jaco=uls.co.za@dovecot.org>
ARC-Seal: i=1; s=arc; d=dovecot.org; t=1774866320; a=rsa-sha256; cv=none; b=EC90wsNC3CKIgTeRf2ABxGstdt+SN/33FsXEn7Bkh798TX/DNR7pqjp5+m/xdAsBa1thrP KoM72A9bpjqDxqid9IIcB8oSrsQFShQah4szclrU86CiPg0MnKJSyfoRPgKg6PtCxel6I6 ky6HIDQ6R0F5rziQkeVgehZd70h1YNgmbiyYwqS7rj1Iq7s0ZZ3u14e/JXP2ONUWJKXPDj k+l4Cnb/IeKXtvYIqQX1KM5z5T3XvS3RWtF8KDwy+fROVkxMGCKm8fFm3Bklj8viKybktQ yhYZp+DjmneqKdLsKrUlOi4Ntp9ED4GdsBzHau+eKg/Uaekk3uN1jIG70OBVeA== ARC-Authentication-Results: i=1; talvi.dovecot.org; dkim=pass header.d=open-xchange.com header.s=s1dus header.b=GIYYG8yJ; spf=pass (talvi.dovecot.org: domain of aki.tuomi@open-xchange.com designates 89.163.165.132 as permitted sender) smtp.mailfrom=aki.tuomi@open-xchange.com; dmarc=pass (policy=reject) header.from=open-xchange.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=dovecot.org; s=arc; t=1774866320; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=x77+dfSTZ5Gi7j/lck5C4TlajJJes2HnylW7FXyR6uM=; b=dzEMOMEBfGH+3qjkA5VJ1vWGcWv90o0WVbe6+ECAyWns++ptVADigE0D71Ohws1Hu3Ad4L PW84V7Cg9/a6bwxCuoihtY3W0ytL2MEPwEn9BaijV4+Gyd3Dt3gxwL2c+LZCYECvbgHnzR nBrV6XTuYe4tk0K6+qhC4Fk0Qdbm5PX1fz03U1gzCxR6ALDOjRKrhe+ygezFDu07UYDzuO odoE5hl55zTtzh9oEQEHJ5+/pZ4S9t+bVG3e/1825DgAp5RH/Q+piSZ3gZSCkLYLOq5Klp QoAJ9+uHLLCPoA0z0VcOI0hHs6Gwwf7tgRWZlcEtScId7ITRujmMcezKm2bHHA==
So should just be a matter of verifying those to get the open-xchange.com signature to pass (or completely ignore it probably based on the ARC headers) and perform relevant dmarc alignment checks which I make note is also outstanding on the specific host).
all good
never reject maillist servers, never as never :=)