Hello, On Fri, Mar 08, 2024 at 02:16:07AM +0000, Tim Woodall wrote: > And some dkim seems setup with the intention that it should not be used > for mailinglusts: > > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; > d=dow.land; > s=20210720; > h=From:In-Reply-To:References:Subject:To:Message-Id:Date: > Content-Type:Content-Transfer-Encoding:Mime-Version:Sender:Reply-To:Cc: > Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: > Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: > List-Subscribe:List-Post:List-Owner:List-Archive;
So the thing is that the RFC for DKIM specifies a list of headers to sign and those include ones commonly used by mailing list software so as soon as one of those mails goes through list software, the DKIM signatures get broken. And sadly because that is what is suggested in the RFC, that is also the default setting of Exim in Debian. As a result heaps of messages don't make it through mailing lists with DKIM intact even when the list operator makes some effort to allow it to work (e.g. avoids adding footers or subject tags, just passes the mail through, like debian-user does). > AFAICT, it's a problem at the originator causing failures, either > something wrong with dkim setup or too strict set of headers. Yes. But I think a person whose receiving system outright rejects on DKIM failure might spend their whole lives tracking down and contacting the operators of sending systems to educate them about DKIM, only to be mostly met with disagreement, lack of understanding, or silence. Which is why I argue that at present it isn't a good idea to just reject all DKIM failures like OP's mailbox provider appears to be doing. That sort of setup would only be suitable for someone who doesn't really use email, except for "transactional" mails (password reminders, OTP, etc.) and one-way newsletters. Which admittedly is probably the majority of users - but not OP! > I shall be checking what this does when it gets back to me. One of the > problems with dkim is that you assume it still works, it's hard to know > what others actually see... Adding DMARC and a reporting address gets you far more unwelcome insight into what others do. 😀 Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting