Rob Jenson writes:
I need to strip DKIM headers on the inbound messages to my list or to my domain.
Why do you need to strip DKIM headers? The standard specifies that an invalid DKIM signature must be treated the same as if there were no signature at all. So an invalid DKIM signature may be treated as spammier than a message with a valid signature, but that should not be treated differently from an unsigned message (as would appear after removing those header fields).
I know this feature is in demand from list admins, but I've never seen convincing evidence that it's actually effective for any of the usual suspects (Yahoo!, AOL, Gmail), only for small domains with pigheaded admins who are proud of their non-conforming configurations, and announce that they are discarding messages which have invalid DKIM signatures.
What I do not understand from the documentation for Mailman 3 Core is whether it is possible for my hosting service to set remove_dkim_headers just for our domain.
It currently is not possible. It probably could be made possible on a per-domain or per-list basis, but it's not clear to me why it would be useful to do so. If there really are non-conforming receivers out there, it's probably a good idea to strip host-wide.
If that is not possible, then the question becomes "is there a way, in the list configuration, to strip the DKIM headers?
It is possible, but that requires changing the list's processing pipeline to add that capability. I believe this is not difficult (I haven't done similar changes with Mailman 3 yet) but it does require the assistance of the host, and possibly imposes a future maintenance burden on the host.
We are munging the text of the message in Mailman, so the DKIM headers from the original poster are invalid.
As I explained above, both DKIM and DMARC are specified so that "no signature" == "invalid signature" for the purposes of spam processing. Are you sure that Yahoo! (or any other provider used by your subscribers) is treating invalid signatures differently from absence of signatures? The person responsible for Yahoo! MTA configuration is a well-known mail security expert who participated actively in the specification of all these protocols (and she also gave me a kitten, so I may be biased).
As far as I can see, our service provider is using ARC in our Mailman configuration, but not signing the outbound messages with DKIM.
That surprises me. ARC isn't really a substitute for the MTA's own DKIM signature, at least not yet.
Therefore the DKIM signature from the poster's mail service provider is sent out with their DKIM header, which seems to be problematic.
It shouldn't be.
If I understand ARC correctly, it is validating the DKIM signature from the poster, creating a new signature and metadata indicating that what it received was properly signed.
That is correct. As far as I know, Yahoo! does participate in the ARC protocol and used to have conforming implementations of DKIM and DMARC. That doesn't mean you get a free ride: they may still have your IP on a blacklist from former owners of the IP, for example. Or your posts may "look like" spam for some other reason, or your lists may need more time to build up a clean reputation. But I need evidence more convincing than "list posts are recognized as spam" to believe that removing DKIM headers will help. (For example, my employer's filters regularly recognize messages from department heads as spam, even with DKIM signatures intact. ;-)