On 4/7/20 2:54 PM, Stefan Schmiedl wrote: > >> DKIM fails on many mailing lists. This list, for example, modifies your >> subject to add "[gentoo user]" but leaves the DKIM signature intact. If >> the sender has a p=reject DMARC policy, that can make his messages >> "disappear" for recipients who check and enforce DMARC. > > I'm pretty sure that I'm not the first one to ask, but given that > DMARC and DKIM seem to have become a thing, would it not be "better" > for delivery if the mailing list software removed the DKIM signature > if it modified a header that was signed?
It's a tricky question, but I know e.g. Mailman has tried that before. The RFCs say that you should treat the signature header like a Received-from header; i.e. leave it alone. Stripping off the signature can cause other new and exciting problems, like getting you sent to Junk at the big freemail providers. I always attempt the simplest solution first: don't modify the message. Some lists now have clever ways of modifying the "From" so that the message appears to come from the list, and not from the person who sent it, but they don't work in 100% of cases either. Off the top of my head, it involves adding another type of "Sender" header, but that can only be done if the original message doesn't have one, or something like that. I'd check the available options in the latest version of Mailman to see what it can do. There's a lot of boring work that has been done on this, e.g. https://tools.ietf.org/html/rfc6377 but I'm not totally up to date on the best practices. I switched my own domain to p=none after a few years of pain and suffering, and haven't looked back.
