On Wed, May 10, 2023 at 09:50:24AM +0200, Jaroslav Kysela wrote: > > It is perfectly possible to operate a mailing list server and be > > DMARC-compliant (at least for DKIM-signed messages) without requiring any of > > the horrible things mailman-3 is doing: > > > > https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html > > I wish that it was as easy. It is. We've been operating DMARC-compliant mailing lists for many years now without needing to mangle any messages. > I don't see any references to RFCs in this text, > so we cannot verify the contents. As our mailing list does not modify the > headers and body, the DKIM is correct for our messages, but it does not work > practically (the mitigation was turned on recently, so I know how many > bounces were present). Can you please show me the message that was no longer DMARC-compliant after passing through your mailing list server? I will point out what made them non-DMARC-compliant, and it won't be some builtin incompatibility between DMARC and mailing lists. > Also, RFC7960 does not describe this: > > https://datatracker.ietf.org/doc/html/rfc7960#section-4.1.3 > > especially: > > https://datatracker.ietf.org/doc/html/rfc7960#section-3.2.3 These talk specifically about messages that were modified by the mailing list software. > and see note in: > > https://datatracker.ietf.org/doc/html/rfc7960#section-3.2.3.1 > > So "keep everything unmodified" for DKIM is just only one part of the > problem. Perhaps, there's a RFC update somewhere which adds another note. I can demonstrate to you millions of email messages that passed through the mailing list that are still perfectly DMARC compliant -- you seem convinced that it's not possible. For example, here's the authentication header set by GMail for a message that I recently received via the tools mailing list: Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=YVg2o3VH; spf=pass (google.com: domain of [omitted]@gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=[omitted]@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com So, I'm just going to repeat this: operating a mailing list and remaining DMARC compliant is perfectly possible, provided: - the original message is DKIM-signed - all existing headers are unmodified - the message body is unmodified -K