Lance A. Brown writes:
I found a ... a dedicated service which handles the ARC sealing. It's working nicely!
Great! That's a perfectly acceptable solution, and you have access to the ARC-Authentication-Results which can be checked in Mailman's "Header Filter" configuration section with
Header | Pattern | ActionARC-Authentication-Results | authserv-id=$SERVICE.*(arc|dkim)=fail | Hold
where $SERVICE is a token provided by your service, I definitely recommend holding and checking the message if ARC failed. There's no safe reason for that to happen that I know of. DKIM and especially DMARC do fail for various reasons, so you have to judge if there are too many false positives. You can remove the "|dkim" part or add additional protocols with "|spf" (for example) inside the parentheses.
I was even able to turn off the DMARC munging on my test list without problems.
Be careful about this in production. Monitor your bounces and the RBLs, this is the kind of change that warrants a period of heightened attention. There are free "pull" services for multiple RBLs that you have to check, and of course you can pay for "push" services that do the monitoring and notify you of events.
Steve