RW skrev den 2017-12-26 18:05:
I didn't receive any posts in "IADB whitelist" thread from the OP
because they all failed DMARC with a reject policy. I found the posts
on gmane.
stop reject maillists no matter if dmarc fails
Posting to mailing lists with a domain using a strict DMARC policy is
inherently risky because you are losing the redundancy of an aligned
SPF
pass and there's a lot that can go wrong with DKIM.
policy reject is safe on spamassaasin maillist just like it is on
postfix maillist, but you report a diffrent problem that does not help
it
In this case the open-t.co.uk DKIM signature signed "reply-to" and a
lot of "list-*" headers that are added by the list. This guaranteed a
DKIM fail downstream of the list servers.
this is the error, sadly systems try to sign all headers without
understanding what happend with this
I thought it as worth pointing this out to avoid others making similar
mistakes. However, DMARC problems could generally be mitigated by the
listservers adding ARC headers.
makw apache.org reject dmarc fails, possible ?, opendkim can test unsafe
header signed
for maillist members add hermes.apache.org to opendkim AND opendmarc
trusted sender ip
arc is basicly help make it worse :(
note signed headers on my post here, its default in opendkim, if more
headers is signed it dmarc unsafe