Thank you Steve
This is very helpful. I've seen the hash not verifying and am chasing that through the hellish postfix/mailscanner/etc path we have. Something's modifying the body and I haven't found it yet.
Again. Thank you!
On 7/11/21 11:02 AM, Stephen J. Turnbull wrote:
Matt Wilbur EFS via Mailman-users writes:
I've been through DKIM hell and back. Now I'm to the point where when I "show original" mail with gmail it says SPF, DKIM and DMARC all pass, but it's still going to the spam folders.
ARC would help get you through Google, Google participates in ARC:
ARC-Seal: i=1; a=rsa-sha256; t=1625952812; cv=none; d=google.com; s=arc-20160816;
The idea is that you can have your incoming MTA attest that the signature was valid on the way in, and have that testimony signed by the outgoing MTA. I don't know offhand who else give gold stars for a valid ARC signature, though.
Despite what you wrote, this isn't a pass:
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass firstname.lastname@example.org header.s=mail header.b=BteyCkCY; dkim=neutral (body hash did not verify) email@example.com header.s=20161025 header.b="Kt/xXWZE"; spf=pass (google.com: domain of firstname.lastname@example.org designates 22.214.171.124 as permitted sender) email@example.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sditdg.org
Your body hash did not verify, I don't know why. It could be that you're signing it on the way in so the footer breaks the signature on the way out (seems unlikely, but at least it's easy to find and to fix), or that the signing function is incorrect (harder to diagnose) or Google's verifier is broken (unlikely in the extreme, but logically possible) or your MTA (Postfix) is corrupting the message (ditto). Or maybe cosmic rays aren't random, they're targeting your mail. :-)
DMARC passes because the policy is NONE.
Note that "neutral" is actually a failure, but the term "neutral" is used because a failure should not be a reason to treat your mail as more suspicious than unsigned mail.
I assume the signature below is supposed to be from the outgoing MTA at your Mailman site.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sditdg.org; s=mail; t=1625952811; bh=4HN4XCD73340TTta47Nw8NNNFEbWsNLm9zWdectMYcI=; h=To:Date:Subject:List-Id:List-Archive:List-Help:List-Post:
Here's a DKIM pass at your site, but I assume this is incoming to Mailman:
Authentication-Results: cat.efs.org; dkim=pass (2048-bit key) header.d=gmail.com firstname.lastname@example.org header.b="Kt/xXWZE"
Hope this helps, Steve _______________________________________________ Mailman-users mailing list -- email@example.com To unsubscribe send an email to firstname.lastname@example.org https://lists.mailman3.org/mailman3/lists/mailman-users.mailman3.org/