On Thu, Jul 18, 2024 at 5:14 AM Stuart Henderson <stu@xxxxxxxxxxxxxxx> wrote: > The mail admins can choose what is covered by the DKIM signature. > In the case of barclays.com there are various headers (which I think > make it through the mailing list untouched) but also the body, which > does not; a footer with the list URL is added. The real issue here is that the Mailman configuration for the openssh-unix-dev list does not appear to set `dmarc_moderation_action` (in `Privacy options` - `Sender filters`) to either `Munge From` or `Wrap Message`, which is necessary for lists where either of the following is true: 1. The list accepts posts from senders whose domain applies DMARC policy (`p=reject` or `p=quarantine`) but only implements SPF, not DKIM. (Resending a message through a mailing list will always invalidate SPF unless SRS (1) is used, and almost no one bothers with SRS.) 2. The list accepts posts from senders whose domain applies DMARC policy (`p=reject` or `p=quarantine`), and the list is configured to modify messages sent to the list (add a Subject: header tag, add a footer, et. al.). (Modifying messages will invalid the DKIM signature.) When affected senders (either group #1 or group #2) post to the list, all list subscribers whose MTAs apply/obey DMARC policy will take the action the sender’s domain’s DMARC policy declares (reject outright, or quarantine / flag as spam). Damien, is there any possibility of updating the Mailman `dmarc_moderation_action` setting (2)? DMARC isn’t going anywhere; the big mail providers are either already requiring it to some degree (3), or have said they will start requiring it soon. (1) https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme (2) https://wiki.list.org/DEV/DMARC (3) https://support.google.com/a/answer/81126 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev