* Bill Cole: > > Hence I wrote "break existing DKIM signatures". > > Which is not a bad thing, in this context.
The OP made no mention of implementing DMARC himself, just modifying headers. In that scenario, I consider breaking existing signatures a bad thing. I am aware of alignment mechanics, but I see that tools like SpamAssassin or Rspamd score signature (mis)matches individually, not only in the context of DMARC policies. As far as I can tell, modifying headers alone does not resolve the OP's issues. By the way, I have recently started evaluating Mailman 3, which comes with some interesting features re DMARC: https://mailman.readthedocs.io/en/latest/src/mailman/rules/docs/dmarc-mitigation.html -Ralph