On Jan 25, 2022, at 8:50 AM, Benny Pedersen <m...@junc.eu> wrote: Authentication-Results: lists.isc.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z
On 25.01.22 12:25, Dan Mahoney wrote:
The headers you cite are lying to you. :) The message passed DKIM on the way IN to lists.isc.org (the dedicated vm that runs our lists), but then, when the message got to the mailman python scripts and then shot back out via the MTA, they had an altered body and no longer passed, and the header was rewritten to say "fail". (This is visible from the logging on the servers, but nowhere else).
there were multiple headers when that mail came here: Authentication-Results: fantomas.fantomas.sk; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="q/vOEba5"; dkim=fail reason="signature verification failed" (1024-bit key; secure) header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z"; dkim-atps=neutral Authentication-Results: lists.isc.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z obviously when the mail came to list, DKIM was fine, not so after it left (thanks to list signature)
will my dkim fail aswell ?
it did...
Altering the body or headers at all (whch lists do) will often break the hashing. For this reason, most recent versions of mailman have an option to rewrite your mail from:
[...]
...but only in the event you have a restrictive DMARC policy.
this explains why both your and Benny's mail did fail here, while Eduard's did not - that one was signed by mailman because of his domains' restrictive policy. I missed this part before.
I've argued that it should be possible to do so for *any* dmarc policy, even p=none, but that option is not present in mailman 3, at least.
I agree. spam filter is something that can use dkim fail and should not be ignored. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users