On Fri, 10 Sept 2021 at 14:52, Stephen J. Turnbull <stephenjturnbull@gmail.com> wrote:
Philip Colmer writes:
However, in sending test messages to a mailbox hosted by Microsoft, I'm seeing a header like this:
We need *all* the relevant fields (all the DKIM signatures, all the ARC-* fields from both your server and Microsoft, and the From field, and if possible all the trace fields like Received) to figure out what's going on.
I hadn't wanted to send too much information (initially, at least) if there was something obviously wrong and I appreciate your explanation of what I have shared.
dkim=fail (signature did not verify) header.d=sender.org;
This is sender.org's DKIM signature, and it is expected to fail unless Mailman is configured in pure pass-through mode where it does not touch the body or any of the signed header fields. sender.org's DKIM signature may as well not be there for a conforming MTA (I assume Microsoft's does in this, I don't see any advantage to them in breaking DKIM).
I hadn't realised that "dkim=fail" applied to the original email that had been sent to Mailman 3, so that is a relief.
DKIM is all over the place, working fine. Mailman ARC was tested, and passed, during the ARC development process at the IETF. I don't know offhand if anybody is using that combination now. If you own the MTA, we recommend doing ARC there if supported by the MTA (I think Postfix does). I'm glad to see Microsoft supporting it!
I will certainly have a go at adding OpenARC to our Postfix MTA.
Presumably I then (re)configure the [ARC] section in Mailman 3 to not be enabled?
Thanks again for the quick and detailed examination.
Regards
Philip