UPDATE: it now works, with the following settings in the section [ARC] in mailman.cfg [ARC] enabled: yes # These cause mailman to process DMARC and DKIM validations itself but # the authserv info below will tell it what to trust if an # Authentication-Results header is already present. dmarc: yes dkim: yes # The FQDN of your mailserver so mailman will trust it. In our case this # header is injected by rspamd running on mail.***** authserv_id: mail.***** # Path to the RSA private key. Again, this MUST be RSA not EC. privkey: /etc/mailman3/******.org.mailman.key selector: mailman # The domain that selector lives in. domain: lists.*******.org Cheers, Johannes Am 18.08.24 um 08:05 schrieb Johannes Rohr:
Dear all,
I'm confused about how to enable ARC signing and how it is related to DKIM.
As it stands, the contents of the section [ARC] in mailmain.cfg are
[ARC] enabled: yes authserv_id: *******.org # Should this be the address of the mailserver (postfix) instead? privkey: /etc/mailman3/***.org.mailman.key # Shouldn't this point to the same private key used by rspamd for DKIM signing? selector: mailman # shouldn't this point to the same selector as rspam, or should it be separate? If so, should I also set up a separate TXT entry domain: ****.org # mailman serves multiple domains. Should all be there? Should the exact subdomain be there?
Finally, how come that at present, mailman does NOT sign the messages? They come with the original DKIM signature, but there is no ARC signature.
Unfortunately, the official documentation says very little about ARC, so I have to post my possibly stupid questions here.
Johannes