On 3/12/22 12:20, Stanisław Findeisen via Mailman-users wrote:
On Fri, Mar 11, 2022 at 10:41:00AM -0800, Mark Sapiro wrote:
Also, your outgoing MTA should DKIM sign the mail on the way out. With that and the above setting, the outgoing message will have only your valid DKIM signature and no prior Authentication-Results:.
Ok, you mean after replacing the From address with the list address, right? I can see no way (or sense) to DKIM sign arbitrary From: addresses.
Your DKIM signature only says you sent the mail and if the signature validates, the mail hasn't been modified since you signed it. I.e. validation of the signature is a statement to the recipient that the mail received is what you sent. That's all.
If the domain of the From: address doesn't align with your domain, the signature won't help with DMARC, but that's a separate issue and why we have DMARC mitigations suck as replacing the From: with the list address.
This actually works quite good: the recipient just gets 2 DKIM signatures. The original one is broken, the MTA-generated one (after writing my list address into From) is OK. This is good enough even for ProtonMail (no red warning).
And your rewriting the From: is only necessary for DMARC. If the ProtonMail red flag is only because there was no valid DKIM signature, you shouldn't need to rewrite From:. If it is because of DMARC, you do.
What about this list (mailman-users). It looks this one also has From address replacement + conditional DMARC mitigation. And remove_dkim_headers: no. Correct?
This list has DMARC mitigation action = Replace From: and DMARC Mitigate unconditionally = No and remove_dkim_headers: no.
We DKIM sign all outgoing mail from lists.mailman3.org.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan