David Krantz writes:
A completely different question: Is there anyone that has a working non-naive setup for ARC signing of mail list mail in mailman?
Not in Mailman. As ARC was designed, that's not our job. ARC is intended to be implemented at the perimeter of the administrative domain. As an example, in a one-host domain, that would be the MTA. Mailman, by the nature of its communication with the outside world, lacks much of the information you would like your ARC implementation to have access to. The intent of the ARC module in Mailman is (1) proof of concept and (2) for single-host domains that don't have access to install a proper ARC implementation at the MTA level.
I use DKIM on outgoing mail with a setup where each domain has its own keys and selectors. As discussed here earlier, the DKIM signature should be added before the ARC signature.
I believe we have modules capable of DKIM-signing in the distribution (they are dependencies that get downloaded in the build process and I believe they get copied into the installation), but unlike ARC where we participated in the design and beta of the protocol, DKIM was already well-established so I'm sure it's not exposed in the configuration. I doubt that it's properly integrated. You'd need to write a new handler for it on the model of the ARC handlers.
I think you might also need to modify the ARC code to handle the appropriate selector and private key for each domain.
Steve