Matt Wilbur EFS via Mailman-users writes:
I've been through DKIM hell and back. Now I'm to the point where when I "show original" mail with gmail it says SPF, DKIM and DMARC all pass, but it's still going to the spam folders.
ARC would help get you through Google, Google participates in ARC:
ARC-Seal: i=1; a=rsa-sha256; t=1625952812; cv=none; d=google.com; s=arc-20160816;
The idea is that you can have your incoming MTA attest that the signature was valid on the way in, and have that testimony signed by the outgoing MTA. I don't know offhand who else give gold stars for a valid ARC signature, though.
Despite what you wrote, this isn't a pass:
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@sditdg.org header.s=mail header.b=BteyCkCY; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b="Kt/xXWZE"; spf=pass (google.com: domain of testing-bounces@sditdg.org designates 65.50.252.27 as permitted sender) smtp.mailfrom=testing-bounces@sditdg.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=sditdg.org
Your body hash did not verify, I don't know why. It could be that you're signing it on the way in so the footer breaks the signature on the way out (seems unlikely, but at least it's easy to find and to fix), or that the signing function is incorrect (harder to diagnose) or Google's verifier is broken (unlikely in the extreme, but logically possible) or your MTA (Postfix) is corrupting the message (ditto). Or maybe cosmic rays aren't random, they're targeting your mail. :-)
DMARC passes because the policy is NONE.
Note that "neutral" is actually a failure, but the term "neutral" is used because a failure should not be a reason to treat your mail as more suspicious than unsigned mail.
I assume the signature below is supposed to be from the outgoing MTA at your Mailman site.
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sditdg.org; s=mail; t=1625952811; bh=4HN4XCD73340TTta47Nw8NNNFEbWsNLm9zWdectMYcI=; h=To:Date:Subject:List-Id:List-Archive:List-Help:List-Post:
Here's a DKIM pass at your site, but I assume this is incoming to Mailman:
Authentication-Results: cat.efs.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Kt/xXWZE"
Hope this helps, Steve