2023-04-24 02:12 に Stephen Daniel さんは書きました:
When I check a message that I received from the list I am told: ARC-Authentication-Results: i=2; mx.google.com; dkim=neutral (body hash did not verify) header.i=@bellsouth.net header.s=s2048 header.b=nkq1aBRe;
This DKIM failure is normal. To get the body hash to verify, you need to set the body header and body footer to empty (beware, you can't see whitespace, but if there's whitespace, it's not *empty*). The header usually is empty, but by default we do set the footer, so you'd have to clean that out. Of course, if you have legal or organizational requirements to set the footer or header, you're stuck.
arc=pass (i=1);
ARC is a protocol designed for mailing lists and other intermediaries that may change messages in ways that invalidate cryptographic signatures. It works by having each host that may munge messages (1) check all the previous ARC authentication results and (2) providing its own signature on those results if the most recent one is authentic and validates. (This is like a hash chain such as in git.)
spf=pass (...I also see this: ARC-Authentication-Results: i=1; pb-mx22.pobox.com; arc=none (no signatures found);
This says that at the first ARC host in the path no ARC headers were found. Of course not, there were no previous participating hosts.
bimi=skipped (DMARC did not pass); dkim=fail (message has been altered, 2048-bit rsa key sha256)
Note it has already failed DKIM here. This says that some domain (presumably the one providing the Mailman host) (a) altered the message, invalidating the DKIM signature, and (b) based on arc=none above, does not participate in ARC.
header.d=bellsouth.net header.i=@bellsouth.net header.b=nkq1aBRe header.a=rsa-sha256 header.s=s2048 x-bits=2048; dmarc=none policy.published-domain-policy=noneHow do I fix this DKIM error? Has the body changed because I add a footer to emails as they pass through?
Yes.
There are two ways to fix it. (1) Don't add a header or footer to the
body, and don't munge the subject with [list: serial#] annotations.
This is guaranteed to work, in the sense that the DKIM signature will
validate, and presumably DMARC "from alignment" will pass. (2) Use the
ARC protocol. Mailman 3 provides the basic functionality, but exactly
how you you hook that up to your site's crypto credentials depends on
your site. Probably you can just reuse the DKIM key-pair.
ARC may be less reliable, depending on recipient host policy (including whether it participates in ARC at all).
Steve