Philip Colmer writes:
I hadn't wanted to send too much information (initially, at least) if there was something obviously wrong and I appreciate your explanation of what I have shared.
If you're worried about leaking sensitive configuration data or about the effort required to redact it, you'll have to make that judgment. But the full header from one email is not a burden.
I hadn't realised that "dkim=fail" applied to the original email that had been sent to Mailman 3, so that is a relief.
Yeah, this is not easy to parse, and whether to remove "failed" DKIM signatures or not is somewhat controversial. The people who developed DKIM and its dependent protocols mostly say "keep it", and the standard is designed to make that harmless.
I will certainly have a go at adding OpenARC to our Postfix MTA.
Presumably I then (re)configure the [ARC] section in Mailman 3 to not be enabled?
That's right.
Steve