On Tue, 2022-08-30 at 17:13 +0200, Alexandre Ratchov wrote: > Hi, > > For my $DAYJOB I had to please big mail corporations and configured > smtpd(8) to send DKIM-signed emails (also added SPF and DMARC > records). This was easy using instruction in the > opensmtpd-filter-dksim port and works fine to send messages to > bigmailcorp accounts. > > The mail server is used to manage few mailing lists using mlmmj. At > first glance, things appear to work: > > - The envelope address (aka smtp "mail from:" address or retrun-path) > matches the mailing list server domain (not sender address domain), > which has the proper SPF record.
This should be fine, although for DMARC to be correct the "MAIL FROM:" and From-header should be in line, or else DMARC fails. So mailing lists will fail, unless you rewrite the from-header as well. > > - The list server (mlmmj port) resends the without modifying the > DKIM-signed headers and the DKSIM-Signature header. So the signature > remains valid. In other words the receiver can verify that the mail > originated from the sender domain servers even it it's received from > the list server. > > - The list server adds its own signature which is also valid. But > AFAIU, it's irrelevant as the signing key is not the sender domain > key. That's fully dependent on what the receiver does with it. For DMARC it only looks at signatures that are domain aligned, all the others are informational. However, on advantage is that by default filter-dkimsign adds a signature to a lot of the different list-* headers. This means that people know if someone messed with these headers since mlmmj added them. > > With all this, mails between gmail and microsoft seem fly through the > lists server. > > If the sender domain add a DKIM signature, I guess the mail will be > possibly tagged as spam by bigmailcorps. > Who knows what $BIGMAILCORP does. However, I can't think of a reason why a valid signature (aligned or not) would cause a mail to be treated as spam. > But it would also be tagged > as spam if the sender did directly send to mailing list members. So, > garbage in, garbage out, no problem. > > Certain lists I'm subscribed to seem to use the same approach, others > seem to discard DKIM-Signature headers. > > - Is the reasoning correct? Am I missing something? > > - Is there a way to make smtpd(8) add the DKIM signature only if the > sender domain is the local domain? (this would avoid the extra > irrelevant DKIM signature). filter-dkimsign is complex enough as it is. I don't really want to add too much more complexity. But if you make a strong enough case I'll certainly consider it. > > Thanks > martijn@
