Odhiambo Washington via Mailman-users writes:
Curiously: If you DKIM sign your emails, does your ISP also co-sign them? Is your ISP relay server published in your domain's SPF records as an allowed sender for your domain?
These are both good points. AWS SES actually prohibts DYI DKIM- signing and insists on doing it themselves (not sure why, but it suggests that there may be folks out there who dislike multiple signatures). Also, check if your ISP participates in ARC (Authenticated Received Chain, RFC 8617). You can do that yourself (best in your MTA so you can do SPF as well as DKIM validation, but Mailman provides a proof of concept option that will check DKIM and ARC-seal your message), but it may be more effective if your ISP does.
Steve
-- GNU Mailman consultant (installation, migration, customization) Sirus Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan