On 1/25/25 12:30, jerry.barnabee--- via Mailman-Users wrote:
CPANEL does all the heavy lifting for me - e.g. I don't have to add any code 
anywhere - the only thing that I have to do is make sure the correct spf, dkim 
and dmarc dns records exist on my name server for each of my domains- which 
they do. Pretty sure opendkim is not being used by CPANEL.

Then this is a cPanel issue.

Is python.org using mailman 2.x or 3.x ?

The reason I ask is that the email the python.org list sent out was DKIM signed 
correctly.

python.org has both Mailman 2 and Mailman 3 lists. This list is Mailman 3, , but that's irrelevant as all the DKIM signing is done by the MTA using opendkim.

The email I got from msapiro.net did not pass DKIM nor DMARC which is not 
always fatal - since I did get your email, but more email servers are starting 
to pay more attention to those failures - and causing those of use that use 
mailman to distribute emails to be getting more and more frustrated with things 
not being signed and causing failures of one kind or another .... I check if I 
can see any DKIM settings in EXIM - but there is a reason I use a WHM/CPANEL on 
my VPS servers - unix administration is not my strong suit ... about all I can 
say is that I do know how to spell unix .....

My post that you receive from the list should contain two DKIM signatures. One sig from the msapiro.net domain will be broken because of list transformations such as subject prefixing and addition of the list footer[1], but there will be another sig from the python.org domain which should be valid and the mail should pass DKIM. It won't pass DMARC because of From: domain misalignment, but msapiro.net publishes DMARC policy = none so it shouldn't matter.

[1]The broken DKIM sig should be ignored, From https://www.rfc-editor.org/rfc/rfc6376.html#section-6.1

      INFORMATIVE NOTE: The rationale of this requirement is to permit
      messages that have invalid signatures but also a valid signature
      to work.  For example, a mailing list exploder might opt to leave
      the original submitter signature in place even though the exploder
      knows that it is modifying the message in some way that will break
      that signature, and the exploder inserts its own signature.  In
      this case, the message should succeed even in the presence of the
      known-broken signature.

--
Mark Sapiro <m...@msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

------------------------------------------------------
Mailman-Users mailing list -- mailman-users@python.org
To unsubscribe send an email to mailman-users-le...@python.org
https://mail.python.org/mailman3/lists/mailman-users.python.org/
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/
   https://mail.python.org/archives/list/mailman-users@python.org/
Member address: arch...@mail-archive.com

Reply via email to