Philip Colmer writes:
However, in sending test messages to a mailbox hosted by Microsoft, I'm seeing a header like this:
We need *all* the relevant fields (all the DKIM signatures, all the ARC-* fields from both your server and Microsoft, and the From field, and if possible all the trace fields like Received) to figure out what's going on. The ARC-A-R header from Microsoft is complex, but here's what I guess is going on:
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 1.2.3.4) smtp.rcpttodomain=destination.org
SPF is OK. rcpttodomain is not relevant.
smtp.mailfrom=mmserver.org; dmarc=bestguesspass action=none header.from=mmserver.org;
I assume IP 1.2.3.4 reverse DNS to mmserver.org, so DMARC passes at this point (I'm assuming that the From: address is an @mmserver.org address, as the header.from parameter indicates). This is a spurious pass; it only works because you happened to send From: somebox@mmserver.org. Any other author domain will fail DMARC.
dkim=test (signature was verified) header.d=mmserver.org;
This is mmserver.org's DKIM signature, presumably added after passing through Mailman, which passes.
dkim=fail (signature did not verify) header.d=sender.org;
This is sender.org's DKIM signature, and it is expected to fail unless Mailman is configured in pure pass-through mode where it does not touch the body or any of the signed header fields. sender.org's DKIM signature may as well not be there for a conforming MTA (I assume Microsoft's does in this, I don't see any advantage to them in breaking DKIM).
arc=fail (47)
I have no idea what went wrong, since you don't provide mmserver's ARC-* fields. This is saying that Microsoft couldn't validate something in the ARC-* fields provided by mmserver.org, or perhaps that Mailman failed to validate something at mmserver.org.
Manually sending an email from the server to the same external email address does give me an email with a valid DKIM header:
The ARC-A-R field above appears to show the expected failure of the "pre-Mailman" DKIM signature and the expected success of the "post-Mailman DKIM signature. DKIM does not appear to be a problem.
Hence the question: does anyone have Mailman 3 + Postfix working successfully with DKIM and ARC?
DKIM is all over the place, working fine. Mailman ARC was tested, and passed, during the ARC development process at the IETF. I don't know offhand if anybody is using that combination now. If you own the MTA, we recommend doing ARC there if supported by the MTA (I think Postfix does). I'm glad to see Microsoft supporting it!
Steve