Hi, For my $DAYJOB I had to please big mail corporations and configured smtpd(8) to send DKIM-signed emails (also added SPF and DMARC records). This was easy using instruction in the opensmtpd-filter-dksim port and works fine to send messages to bigmailcorp accounts.
The mail server is used to manage few mailing lists using mlmmj. At first glance, things appear to work: - The envelope address (aka smtp "mail from:" address or retrun-path) matches the mailing list server domain (not sender address domain), which has the proper SPF record. - The list server (mlmmj port) resends the without modifying the DKIM-signed headers and the DKSIM-Signature header. So the signature remains valid. In other words the receiver can verify that the mail originated from the sender domain servers even it it's received from the list server. - The list server adds its own signature which is also valid. But AFAIU, it's irrelevant as the signing key is not the sender domain key. With all this, mails between gmail and microsoft seem fly through the lists server. If the sender domain add a DKIM signature, I guess the mail will be possibly tagged as spam by bigmailcorps. But it would also be tagged as spam if the sender did directly send to mailing list members. So, garbage in, garbage out, no problem. Certain lists I'm subscribed to seem to use the same approach, others seem to discard DKIM-Signature headers. - Is the reasoning correct? Am I missing something? - Is there a way to make smtpd(8) add the DKIM signature only if the sender domain is the local domain? (this would avoid the extra irrelevant DKIM signature). Thanks
