On 03/11/2020 18:25, Kevin Fenzi wrote: > On Tue, Nov 03, 2020 at 06:13:14PM +0100, Dominique Martinet wrote: >> Hi, >> >> I just enabled dkim/dmarc on my domain last week, so sent my first email >> with that setup to devel@ just earlier today and got a few "invalid dkim >> signature" return emails... >> >> >> So I was wondering how do people deal with that? >> >> Normally lists have two ways of handling dkim: >> - either they don't mangle the subject/signed headers (for me: >> h=Date:From:To:Cc:Subject:References:In-Reply-To:From). >> In that case, just leave the original dkim header and things should just >> work™. >> That's what e.g. kernel lists do and worked well for me. >> >> - either they DO mangle headers, often adding a [tag] to the subject >> line; in which case the From is also updated to be the list address with >> the original sender name (e.g. Bob <whateverlist@somewhere>) and the >> original mail is eventually appended to the Reply-To addresses, with the >> original dkim header stripped off. > > Or add a footer, or handle mime attachments in different ways or ... any > number of things. > >> As far as I can see devel@xxxxxxxxxxxxxxxxxxxxxxx doesn't mangle >> anything so should fall into the first category of "doing nothing just >> works" -- but it stripped my original dkim header, hence the failures. > > It does. It adds a footer. > >> I'm pretty sure mailman can deal with this, is that on purpose? Or is it >> just a mishap? >> my dmarc policy says to ignore dkim failures (for now) so I could just >> ignore this but it's a bit annoying that I had setup dmarc/dkim because >> my mails often get treated as spam for some reason and such errors won't >> be helping... > > Mailman can detect if someone has set dmarc to reject and if so, change > the from address to be the address from the list. This is a per list > setting. I think I reluctantly enabled it on devel and users, I am not > sure what other lists enable it. > > It should have worked for you, I am not sure why not... > > IMHO, setting dmarc to reject is a really bad idea if you send any > emails from your domain that go to lists. > It may be helpful for some people, there are various sites to test your DKIM setup For example, this site shows you a random address, you send a message to the address and they show you a report https://dkimvalidator.com/ _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
