Problems with SPOOFED_UNAUTH

Hello everyone,
I use mailman together with mailcow and have configured my mailing list as follows:
- Anonymous list: Yes
- DMARC mitigation action: Replace From: with list address
- DMARC Mitigate unconditionally: Yes
My problem is that my emails are not being accepted by mailcow (rspamd) with the error SPOOFED_UNAUTH (50.00)
In the out-queue of mailman the headers look like this: [QUOTE] Authentication-Results: <my.mailserv.er>; dkim=none; spf=pass (<my.mailserv.er>: domain of sender@t-online.de designates 194.25.134.81 as permitted sender) smtp.mailfrom=sender@t-online.de; dmarc=pass (policy=none) header.from=t-online.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.<list.domain>; s=dkim; t=1757400255; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zmDaIaGeCj1IT8TuP4aJmXRbfyNHV3LqjIfHveVMS0M=; b=Im4F/mpchty4CJvvcW4ZqxMl0BRNnybjcmkPboUSuodopd7nOXaesj3w6kgIwZkLHn1uHY FOiSSjyfZ8Zu0/w4l4Du5uoij2qDCEYHvGFhEugFizE9HJ71i7x0SzoEVSZ9uve6sqnWaE X8+GqtCE+vf0TLLeKhXKHJaBdltbMSqO+QT0BOlbmOdvmUCy6MIqysocTod9io5/+CQOgd SSvsSdDq00CG1IBUsg0Tm2rSf/L2bpGD3bl7QEBKS2id7NeLFM/Zme/3mkHo0N/u7m47xy XSLS9R0C3Kg/YxHY8ctPt7Yas6fwYfzGAOXRvVJz1eeXSrl8B5vWfzJ8+WrE5Q== ARC-Authentication-Results: i=1; <my.mailserv.er>; dkim=none; spf=pass (<my.mailserv.er>: domain of sender@t-online.de designates 194.25.134.81 as permitted sender) smtp.mailfrom=sender@t-online.de; dmarc=pass (policy=none) header.from=t-online.de ARC-Seal: i=1; s=dkim; d=lists.<list.domain>; t=1757400255; a=rsa-sha256; cv=none; b=yrD6cRE7c/L/v8D76U5Ohn57/MJ7/VsObkzQdAHbFny5DbyEO8pZvM0VCVYA5hUGXqoqoU nnKpEW6/CqvNIZmsS9hKzQQEdO5yIzNnyYjARcW5w5MpAlkMjmH3dQ68mLIS9SUyXUsoXj m1zAeYmdTjZWQOiYanaNJLRuxCWSFQHOpAljZe/lZt+4llNNA01YqirqGBRe6uMaJoebe6 2ubsHTr6VlfTrBrdFqLLSWyRBls+e0JwOd2jGahaQ6/ZIf4l1dOqdaUHSq31RjEDAiofmK IGeKC97iu3r9LiFsjICyi+/yedMGbwSeyyFMzz+cAV7wM84eWfSx2S2kPP1c9Q== [END QUOTE]
When the email arrives at rspamd for verification, the DKIM header is added, but there is also the entry: arc=reject ("signature check failed: fail, {[1] = sig:lists.list.domain:reject}"):
[QUOTE] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.list.domain; s=dkim; t=1757413251; h=from:reply-to:subject:date:message-id:to:mime-version:content-type: content-transfer-encoding:content-language:list-id:list-help: list-owner:list-unsubscribe:list-subscribe:list-post; bh=jH/b69qzW7O+s5h3yE2MxKTwFLElX7b39ILc9yHGhkc=; b=AApU4mb2iuN9u1lYTrIKIcPnB4jzXDX+8vC+2/WwHC8JvCukiR2Std5k3E10cuAyYFhPVk zn6AWY+s6c6HKslDn0RiO3i9QYRLAY5MESxvj0tKO1dKDMz+A8RdcOf4kdO4hDr0DQBf7v yQLLnLjgK8QpZdW8MrlfxcQpQ9XrlyP2GX+ntFh5vDl7frNPXQfnBMoo+l0DIs6SWQuaFX ikrOiISYKugL8TmWXnGohXiAM84W/JT0lvP/Lmt3NjxlyNsAWpHQz736LphydY4r5/JjHI of99pRcbTvEmkZogthHFaXMOG2sDGxGwlIc3+oIUHoXqyY+VLsBQs8FzjR+eaw== Authentication-Results: <my.mailserv.er>; arc=reject ("signature check failed: fail, {[1] = sig:lists.list.domain:reject}") ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.list.domain; s=dkim; t=1757413249; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QSqNoTMweT1jo6F77TLHa+Nh7a0n/g9qDOsUTT8KpQ4=; b=rDgMC26uNsyTPgmddqQOiUsJh25KUa69TeMJfekVn5sFOnvhQdoa9LCogRMMKzJomA0wu6 CCdi6jGJpjtJdzB7PQ8UhQbeFiOUy9JNswFxQ+Qk1GXBxgN892C6KL/DiB/VW1j1nL0xOk Tc0BNC1zH1/MG2hB332t6u/rjWO+PtxIznAdcCP29AhO39RWWY/J0c/CHCOoqFYKCEf1ZH J4Wqeu9ANF44cPwopuJzJioWts6JKRvAM5TjnInZ+HaSv5QmuHvdI0fWvh272O3vGfvEPc iG1QsJS9XWpzkymRjYWo6h1c4/eY7eZd4FEzSR/TtW6Ud9b04A5lUmPpEvTxlQ== ARC-Authentication-Results: i=1; <my.mailserv.er>; dkim=none; dmarc=pass (policy=none) header.from=t-online.de; spf=pass (<my.mailserv.er>: domain of sender@t-online.de designates 194.25.134.20 as permitted sender) smtp.mailfrom=sender@t-online.de [END QUOTE]
What am I still doing wrong? Can you help me, which setting is still missing? What informations are you still missing?
Thanks for your help, Matthias

On 9/9/25 08:42, M.Ede via Mailman-users wrote:
Hello everyone,
I use mailman together with mailcow and have configured my mailing list as follows:
- Anonymous list: Yes
- DMARC mitigation action: Replace From: with list address
- DMARC Mitigate unconditionally: Yes
My problem is that my emails are not being accepted by mailcow (rspamd) with the error SPOOFED_UNAUTH (50.00) ... What am I still doing wrong? Can you help me, which setting is still missing? What informations are you still missing?
I doubt that this has anything to do with the ARC-*, Authentication-Results or DKIM-Signature headers you quote.
There are some threads on SPOOFED_UNAUTH in the mailcow community forum, e.g. https://community.mailcow.email/d/403-spoofed-unauth-rspamd and https://community.mailcow.email/d/637-problems-with-emails-keep-getting-reje...
Also see https://www.reddit.com/r/mailcow/comments/12lhw8e/whitelist_ip/
These came up in a google search for SPOOFED_UNAUTH.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Thanks for your quick response und the links :-)
When I switch list configuration to Anonymous list: No DMARC mitigation action: No DMARC mitigatins everythings works fine, rspamd is fine with my mail.
But with Anonymous list: Yes DMARC mitigation action: Replace From: with list address I get the SPOOFED_UNAUTH.
So I thought some of my settings were not right yet.

On 9/9/25 09:56, M.Ede via Mailman-users wrote:
Thanks for your quick response und the links :-)
When I switch list configuration to Anonymous list: No DMARC mitigation action: No DMARC mitigatins everythings works fine, rspamd is fine with my mail.
But with Anonymous list: Yes DMARC mitigation action: Replace From: with list address I get the SPOOFED_UNAUTH.
First of all, DMARC mitigations are not applied to anonymous lists because the From: header in mail from an anonymous list is already the list address.
That said, it looks like the issue is caused when the From: address is the list address. I don't know why that would be but I'm guessing what you need is some setting in mailcow/rspamd to authorize the list address.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Thanks, I will not do any DMARC mitigations for my list.
When I switch to anonymous list, my Headers looks like this: [QUOTE] Authentication-Results: mailserv.er; dkim=none; dmarc=pass (policy=none) header.from=t-online.de; spf=pass (mailserv.er: domain of sender@t-online.de designates 194.25.134.17 as permitted sender) smtp.mailfrom=sender@t-online.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.serv.er; s=dkim; t=1757502340; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=D54tjBjp9YBqO6kFaKprYwbpPiyCzlyU7sBvXK54AYeXa0kmBg+KllbGMVKjJMQ++31e7l dwUlbBmEN5Ns9kvCCuWofA/YOxmeup3LEN1Ghzr76LsqCLS9TTyRmqbl5ubarlAZ7hcVOk tsWatA31S4IFBUTu9dFMu7X5F7Fb7KoOym6pkOIxD8cqIjT4VNGrx4QTjKQhxqthHaHBX0 cXSJzTGHv7b/tWuNp67kjYU5Hx2k4/V+K+Lvo7z2QMDJQ13vGmX2wTKbxcz0FI0VFCqOqy vXe8pbWmorINdqyajr7b3yPflq3vJK6TgcQ7hh7+jm7W0UY4E03L0JYfOfaIPg== ARC-Authentication-Results: i=1; mailserv.er; dkim=none; dmarc=pass (policy=none) header.from=t-online.de; spf=pass (mailserv.er: domain of sender@t-online.de designates 194.25.134.17 as permitted sender) smtp.mailfrom=sender@t-online.de ARC-Seal: i=1; s=dkim; d=lists.serv.er; t=1757502340; a=rsa-sha256; cv=none; b=c5OYJNi9bU8Nm6cUwzWwdWKUWD3TPRerBX9+cCbNDLztCG/RPlmefYu0ageNZePEagVu5/ wRv+aSB5Q6nFokbO3SYiKNPw7jQdoArp0qT5F+kuv9haAJYwLZmh9Em4ocSm1xbah6re4X Zj5OeLU0WgRqz+tvopwNVxKnjFKg9rEc7MN67KoghSvxjIwijaBlYRlrRh44JSIQiwzoXN 0O4jQ/YlaA9NF0wSEZYF1acfchRmC6igHEZF5255W0wlqTPwThcChwMWrn3F+rSqyngx9/ 9a61HHNQ2tLkWA9IE+3m/97WYttjmkFjcj2XFeSK5TXV93mPZ3TzmjtHO+t2NA== From: Testliste <testliste@lists.serv.er> [END QUOTE]
So ARC signatures are present, FROM ist my list, but smtp.from is still the origininal sender -> SPOOFED_UNAUTH
Ist there any possibility to change smtp.from or to remove it when using anonymous lists?
(I habe found a solution to configure rspamd to whitelist my mailinglist, but I think there should be a better solution, right?)

On 9/10/25 04:24, M.Ede via Mailman-users wrote:
Thanks, I will not do any DMARC mitigations for my list.
When I switch to anonymous list, my Headers looks like this: [QUOTE] Authentication-Results: mailserv.er; dkim=none; dmarc=pass (policy=none) header.from=t-online.de; spf=pass (mailserv.er: domain of sender@t-online.de designates 194.25.134.17 as permitted sender) smtp.mailfrom=sender@t-online.de ...
Ist there any possibility to change smtp.from or to remove it when using anonymous lists?
This is a bug. It was not recognized that the Authentication-Results: header could expose the sender. This should be fixed. The following patch will remove the header. Hopefully it will not have unwanted side effects. What in your MTA is providing this? I don't think opendkim or openarc include an smtp.from in Authentication-Results: ``` --- a/src/mailman/handlers/cleanse.py +++ b/src/mailman/handlers/cleanse.py @@ -91,6 +91,8 @@ class Cleanse: # And something sets these del msg['x-mailfrom'] del msg['x-envelope-from'] + # In some cases Authentication-Results: can expose the sender. + del msg['authentication-results'] # And now remove all but the keepers. self.remove_nonkeepers(msg) i18ndesc = str(uheader(mlist, mlist.description, 'From')) ```
(I habe found a solution to configure rspamd to whitelist my mailinglist, but I think there should be a better solution, right?)
That's an rspamd issue. If you can find out exactly what causes rspamd to hit SPOOFED_UNAUTH, there may be something we can do in Mailman. It seems from the above Authentication-Results: that you are not DKIM signing your list's outgoing mail with the list domain? You should do that in your outgoing MTA. That may avoid the SPOOFED_UNAUTH. -- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Mark Sapiro wrote:
The following patch will remove the header.
Thanks for the hint, I removed authentication-results header as well as arc-authentication-results with your patch, but rspamd still results in SPOOFED_UNAUTH.
I'm now investigating further why rspamd behaves this way.
DKIM signing happens when sending from a non anonymous list, but with anonymous something differs ...
Thanks for your help so far. I'll be happy to get back to you if I have any new information.

M.Ede via Mailman-users writes:
Mark Sapiro wrote:
The following patch will remove the header.
Thanks for the hint, I removed authentication-results header as well as arc-authentication-results with your patch, but rspamd still results in SPOOFED_UNAUTH.
I don't think Mark was suggesting that would help with the SPOOFED_UNAUTH problem. I read his mail as saying that it needs to be fixed because it breaks anonymous_list. I don't think that rspamd is paying attention to any of the smtp.*from information because the one that matters is the one in the SMTP MAIL FROM command, which only appears in the message header by accident. (It could be some kind of machine learning thing, but I doubt that would get dinged for 50 points.)
If you're still having issues
- Does your problem resemble any of those in the links Mark sent?
- Where is rspamd running? On your host or at Mailcow?
- Who is sender@t-online.de, is it a placeholder for a random user, or is it an address associated with your Mailcow account?
- Are my.mailserv.er and lists.list.domain the same host? If not, what is their relationship?
- Where are you running the ARC and DKIM processors?
- Do you have Mailman set to strip DKIM signatures? (I find it hard to believe that a major ESP like t-online doesn't sign outgoing email.)
- What is the list address? Specifically, is it @lists.list.domain, or is it @list.domain? You need a DKIM public key record in DNS for the exact domain of the list as it is added to From.
- Do you have a non-permissive DMARC policy for lists.list.domain?
- How do you send list mail to Mailcow? (a) Regular SMTP directly to the Mailcow MX (b) Regular SMTP indirectly via a different host that is not authorized in SPF to send mail for your list domain (c) Authenticated SMTP (usually SASL on port 587)?
Something is definitely odd about your ARC installation. It should not be possible for ARC verification to fail within the administrative domain that applied the ARC headers, because in theory the ARC signature and seal are performed on the *outgoing* message at the administrative boundary. Also, in the example in your third post[1] the server names in the ARC headers doesn't match:
ARC-Message-Signature: i=1; d=lists.serv.er;
ARC-Authentication-Results: i=1; mailserv.er;
ARC-Seal: i=1; s=dkim; d=lists.serv.er;
Maybe that's just a typo, but if not that could be the problem, I'm pretty sure those are expected to match.
I think the missing DKIM signature may be important. One interpretation of "SPOOFED_UNAUTH" is "I think it's spoofed because I can't authenticate it". In question 9 above, if you send mail via (a) SPF *could* authenticate it, and via (c) that's pretty good authentication, but DKIM is best and Mailcow may insist on it.
[1] <175750349214.87167.13924287800652306747@mail.mailman3.org> Aaargh, gmx.de has a non-permissive DMARC policy -- hope you're not deleting dupes because that almost always means you don't get the list version.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan

On 9/11/25 10:03, Stephen J. Turnbull wrote:
I don't think Mark was suggesting that would help with the SPOOFED_UNAUTH problem. I read his mail as saying that it needs to be fixed because it breaks anonymous_list.
Exactly. Issue is now reported at https://gitlab.com/mailman/mailman/-/issues/1241
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

Am 11.09.25 um 20:38 schrieb Mark Sapiro:
On 9/11/25 10:03, Stephen J. Turnbull wrote:
I don't think Mark was suggesting that would help with the SPOOFED_UNAUTH problem. I read his mail as saying that it needs to be fixed because it breaks anonymous_list.
Exactly. Issue is now reported at https://gitlab.com/mailman/mailman/-/ issues/1241
In my tests, I sent an email via an anonymized list from an external list member who signed his emails with DKIM.
The email sent via the anonymized list still contained the DKIM header with the following information:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1757947718; x=1758552518; i=medebb@gmx.de; bh=vcgwKHYW2uGBjO0+fBhuE4cVWQCtMNWYPsAtoVGcSpU=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:To:From:Subject: Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=efMRr8yABy1/lYtU+rDbUup/kNJlirY6jaBCCMRbu1mHZG+6aa5jwk2+p7xSs2An WI4aVD5Dm5LsUjEz6VIFn7mYF6yy2h7DFoFFKaysbE4SEx8z1Vz23Ob0K9KnOlUgK fX7C+WS1Cr4rg0arSWN/OhRMHZUYwUv6q9Kk7FQcM+92UepNNsgnYNtI9NmGryL36 Ui536gOGLLqg7tpS/RkRYSvSYonHgvnsS2kM5VFdC8Ikyb6RC1Xzy5Nj3pO8xFy// 2xABTzbMuA3jnSTQ5PxlLUT7gg4c8c9WvW18+IAUIJKvedyfWgZnGRUxtDbiFKrDF sbX47CSb1jW6b3UPOg==
This means that both the domain and the email address of the original sender are included.
Don't all DKIM headers also have to be removed from anonymized lists?

M. Ede via Mailman-users writes:
The email sent via the anonymized list still contained the DKIM header with the following information: [DKIM signature date removed] This means that both the domain and the email address of the original sender are included.
Don't all DKIM headers also have to be removed from anonymized lists?
That seems right to me. Of course you can already do it with a separate option, but the anonymous_list setting should override that option.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan

Stephen J. Turnbull wrote:
I think the missing DKIM signature may be important. One interpretation of "SPOOFED_UNAUTH" is "I think it's spoofed because I can't authenticate it". In question 9 above, if you send mail via (a) SPF *could* authenticate it, and via (c) that's pretty good authentication, but DKIM is best and Mailcow may insist on it.
First of all, thank you very much for your support! :-)
To answer question 9, I will describe my setup:
I've been using mailcow as my mail server for a while now, and recently mailman. Both run on the same host under Docker; I followed these instructions: https://docs.mailcow.email/third_party/mailman3/third_party-mailman3/
So the way how mailman is integrated ist described here: https://docs.mailcow.email/third_party/mailman3/third_party-mailman3/#add-ma...
lists.domain2.online: Domain under which the mailman mailing lists run. my.mailserver.de (1.2.3.4): Mail server running with mailcow. my.address@t-online.de: My email address is a member of the list testliste@lists.domain2.online
If I now set the test list as a non-anonymous list, I can send an email from my.address@t-online.de to testliste@lists.domain2.online. It will then arrive at my.address@t-online.de via the list and look like this: (Sorry for posting the whole email, but I don't want to miss anything important)
X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: <testliste-bounces@lists.domain2.online> Received: from mailin20.aul.t-online.de ([10.223.144.60]) by ehead25a10.aul.t-online.de with LMTP id sOxpMb8Tw2ietwAA1CIAZQ (envelope-from <testliste-bounces@lists.domain2.online>); Thu, 11 Sep 2025 20:23:59 +0200 Received: from my.mailserver.de ([1.2.3.4]) by mailin20.mgt.mul.t-online.de with (TLSv1.3:TLS_AES_256_GCM_SHA384 encrypted) esmtp id 1uwlxc-1DSY6r0; Thu, 11 Sep 2025 20:23:56 +0200 Received: from [172.29.199.3] (unknown [172.22.1.1]) by my.mailserver.de (Postcow) with ESMTP id A3C01160026; Thu, 11 Sep 2025 20:23:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.domain2.online; s=dkim; t=1757615035; h=from:subject:date:message-id:to:mime-version:content-type: content-transfer-encoding:content-language:list-id:list-help: list-owner:list-unsubscribe:list-subscribe:list-post; bh=uGrXLBOr+HJaZrAyNMN5fih9l4O/kF9HR9kjIHSATUM=; b=cr11tdmompC0lUHRTHmPwXmVN47+coABsWjCCr7xP5hylpkyA1X9gWGb0icHxVchbCe0+J PkEp6of1uJgVqtOvk4B+nQBaW3NkfmeiBuXQJ/vGEOpoAqffTvl6hSq8MtdovARdoGTpCW SH0Utk9waVXNu89PkB+ZfdC6yaRVr26KKkLWriw0eB6j2llXZS72wZMp/IKA8pTW2IoR8j BUaNVqlGUtSFQO8VUXuSHDRpzxz6HpLidbnuygq1jKqK4MOVX7CIcHgz56+KwNDhyfDGph 1UR27gMpy55g5biI2VsdecgxpFApAAffMKENBul/i7hc0FtaL4OvFkJpOMi1Bw== X-Original-To: testliste@lists.domain2.online Received: from mailout05.t-online.de (mailout05.t-online.de [194.25.134.82]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by my.mailserver.de (Postcow) with ESMTPS id BDF16160026 for <testliste@lists.domain2.online>; Thu, 11 Sep 2025 20:23:53 +0200 (CEST) ARC-Seal: i=1; s=dkim; d=lists.domain2.online; t=1757615033; a=rsa-sha256; cv=none; b=GPjHqy/UO/namwi50u6Hx7nkMxJn1O3SmvGH7qhrWA0qHNHYOjsfEqMK8IXI/BpGBlFY2w jM5ugK9l9dOtMlK6PeIHiLY4PMKIEJ9DOUwWynhB69o+YMqgK1060XzCXX7/N9y72wYAwI j+hf5YVnXdP3NxzioTb+9uuUls56kOyhXwNievuAcL78jvYQYZy8x/BwtY593kpwG+tWc5 axazfDr58xm+O8YleR06OfbXZk2faS1xjj/vLiOyqjoNc2GrTMhUXZKDDryhs+56DnIXuL I4N4hvYUtKse6OEWjLx537aNl6tYuXWZ/+dn8YLE7UdMX6xtSDbjWNCIKCxSgA== ARC-Authentication-Results: i=1; my.mailserver.de; dkim=none; dmarc=pass (policy=none) header.from=t-online.de; spf=pass (my.mailserver.de: domain of my.address@t-online.de designates 194.25.134.82 as permitted sender) smtp.mailfrom=my.address@t-online.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.domain2.online; s=dkim; t=1757615033; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Si6KpMIgU2cSdhN7oYV2hWnUh/PTv49n+b9Q23p38LI=; b=ENhqizYrOpISbjaf2MKl6C4dMbldPoj1THa2iG4WHH9dCk2Hpb6puB8MyhecAbj4La3Lao AlFmG+k+bT+2Tcew64ILFVZ1wPWYAq8fBQnOAE/0dhGdN9HzWzds+gDW8Hm5YLmybmug3u WRNnb0E8CzB0Ctlq4/RgdZgRMMEOW8utXNuPq7RKroZARl2g34b63ozXHERWo22h7a/T5T DVarQraTXoNrbDZ6Xgr76tWprn4dQzRImdUyMIys8T+RmkmNeQgDPFv3Fs+XYLxcZqJbWF tUBRv8J/XdQRYcaWWoVzlUFOX9fBzGp2+hTiHkSWMBtd+XDQWQwXlDd+7oXMMw== Received: from fwd79.aul.t-online.de (fwd79.aul.t-online.de [10.223.144.105]) by mailout05.t-online.de (Postfix) with SMTP id 97BA383E for <testliste@lists.domain2.online>; Thu, 11 Sep 2025 20:23:53 +0200 (CEST) Received: from [192.168.42.95] ([79.248.15.117]) by fwd79.t-online.de with (TLSv1.3:TLS_AES_256_GCM_SHA384 encrypted) esmtp id 1uwlxZ-202QnA0; Thu, 11 Sep 2025 20:23:53 +0200 Message-ID: <2a1f738e-2c21-46c7-9377-73e040acf257@t-online.de> Date: Thu, 11 Sep 2025 20:23:53 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: de-DE To: testliste@lists.domain2.online From: Matthias <my.address@t-online.de> X-Last-TLS-Session-Version: TLSv1.3 Message-ID-Hash: QHTK754PQY25N6BZSBXO3Y6K4WAESCPF X-Message-ID-Hash: QHTK754PQY25N6BZSBXO3Y6K4WAESCPF X-MailFrom: my.address@t-online.de X-Mailman-Rule-Hits: member-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency X-Mailman-Version: 3.3.10 Precedence: list Subject: =?utf-8?q?=5BTestliste=5D_Mail_von_t-online?= List-Id: Testliste <testliste.lists.domain2.online> Archived-At: <https://lists.domain2.online/hyperkitty/list/testliste@lists.domain2.online/...> List-Archive: <https://lists.domain2.online/hyperkitty/list/testliste@lists.domain2.online/> List-Help: <mailto:testliste-request@lists.domain2.online?subject=help> List-Owner: <mailto:testliste-owner@lists.domain2.online> List-Post: NO List-Subscribe: <mailto:testliste-join@lists.domain2.online> List-Unsubscribe: <mailto:testliste-leave@lists.domain2.online> Content-Type: text/plain; charset="utf-8"; format="flowed" Content-Transfer-Encoding: base64 X-Last-TLS-Session-Version: None X-Spamd-Result: default: False [-0.15 / 15.00]; BAYES_HAM(-5.44)[99.86%]; FORGED_W_BAD_POLICY(3.00)[]; SUBJ_EXCESS_QP(1.20)[]; MIME_BASE64_TEXT_BOGUS(1.00)[]; MAILLIST(-0.20)[mailman]; RCVD_NO_TLS_LAST(0.10)[]; FISHY_TLD(0.10)[lists.domain2.online]; ARC_REJECT(0.10)[signature check failed: fail, {[1] = sig:lists.domain2.online:reject}]; MIME_BASE64_TEXT(0.10)[]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; BCC(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_MAILCOW_DOMAIN(0.00)[brunsche.de,domain2.online]; FORGED_SENDER(0.00)[my.address@t-online.de,testliste-bounces@lists.domain2.online]; RCPT_COUNT_ONE(0.00)[1]; DKIM_SIGNED(0.00)[lists.domain2.online:s=dkim]; FREEMAIL_ENVRCPT(0.00)[t-online.de]; FREEMAIL_FROM(0.00)[t-online.de]; FROM_NEQ_ENVFROM(0.00)[my.address@t-online.de,testliste-bounces@lists.domain2.online]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[testliste@lists.domain2.online]; FORGED_RECIPIENTS_MAILLIST(0.00)[]; FORGED_SENDER_MAILLIST(0.00)[] X-Rspamd-Queue-Id: A3C01160026 X-TOI-VIRUSSCAN: unchecked X-TOI-EXPURGATEID: 149288::1757615036-7DFF9602-F04AED1F/0/0 CLEAN NORMAL X-TOI-MSGID: 33a39598-248e-49ce-8014-5b8d700dc8b7 X-ENVELOPE-TO: <my.address@t-online.de> Authentication-Results: mailin20.aul.t-online.de; dkim=pass (2048-bit key; secure) header.d=lists.domain2.online header.i=@lists.domain2.online header.a=rsa-sha256 header.s=dkim header.b=cr11tdmo; dkim-atps=neutral
So there are DKIM signatures from d=lists.domain2.online attached, and the authentication results from t-online.de also say: dkim=pass
Everything's OK with this email, right? Or is something wrong here?
It would be great if you could take a look at it, so I don't miss anything.
Thanks very much, Matthias
(I'll continue with the other questions later...)

Am 11.09.25 um 19:03 schrieb Stephen J. Turnbull:
- Does your problem resemble any of those in the links Mark sent? I tried [https://community.mailcow.email/d/637-problems-with-emails-keep-getting-reje...] and added a forwarding host to the configuration. Emails from an anonymous list were delivered, but the DKIM signature with the list domain was missing.
I've since found the solution: In the rspamd (mailcow) configuration, I added the following to the multimap.conf file:
whitelist_sender_domain { type = "from"; map = "/etc/rspamd/local.d/whitelist_from.map"; action = "accept"; }
And the whitelist_from.map file now contains lists.domain2.online
This means that emails from an anonymous list are now also delivered and signed :-)
Thanks everyone for your help!
Matthias

Thanks a lot, I've experienced the same problem. I have a dockerized installation of mailcow and mailman 3. So for me, will your suggested change
- apply to the file /opt/mailcow-dockerized/data/conf/rspamd/local.d/multimap.conf ?
- and look like this?
WHITELIST_SENDER_DOMAIN { type = "rcpt"; map = "${LOCAL_CONFDIR}/custom/whitelist_from_map"; action = "accept"; }

Sorry, it should of course be:
WHITELIST_SENDER_DOMAIN { type = "from"; map = "${LOCAL_CONFDIR}/custom/whitelist_from_map"; action = "accept"; }

My file is now located at /opt/mailcow-dockerized/data/conf/rspamd/custom/whitelist_from.map, so for me works: WHITELIST_SENDER_DOMAIN { type = "from"; map = "${LOCAL_CONFDIR}/custom/whitelist_from.map"; action = "accept"; } (with whitelist_from.map instead of whitelist_from_map)

M.Ede via Mailman-users writes:
I've since found the solution:
I glad you found a solution to the immediate problem. However, that SPOOFED_NOAUTH error strongly suggests that whitelisting your own host(s) shouldn't be necessary. I can't think of a way where a future change in your configuration would result in problems, so there's no hurry, but I would like to know what rspamd was complaining about for future reference.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan

Am 13.09.25 um 08:44 schrieb Stephen J. Turnbull:
I glad you found a solution to the immediate problem. However, that SPOOFED_NOAUTH error strongly suggests that whitelisting your own host(s) shouldn't be necessary. I can't think of a way where a future change in your configuration would result in problems, so there's no hurry, but I would like to know what rspamd was complaining about for future reference.
So I try to debug what happens and want to look at the mail going from mailman to my MTA (mailcow) for delivery.
I found a mail in /opt/mailman/var/queue/out (for a short time), but in this mail the List-Footer is missing.
Can you help me where to find the last version of mail just before going to my MTA?

M. Ede via Mailman-users writes:
So I try to debug what happens and want to look at the mail going from mailman to my MTA (mailcow) for delivery.
MTAs like Postfix and Exim4 provide hooks for filtering email. I'm sure mailcow does too. You could put a filter that looks for a specific header or envelope parameter, and saves that message to a file.
Easiest is to install something like Mailhog, run it on port 8025, and send everything from Mailman to it for a few minutes. That would likely give you the cleanest post-Mailman file (I don't think Mailhog adds anything to the message, check the docs -- it might add a Received header). Note that once you have copied off the Mailhog messages to a directory where you can analyze, Mailhog can release them to your mailcow to be sent to the final destinations.
I found a mail in /opt/mailman/var/queue/out (for a short time), but in this mail the List-Footer is missing.
I believe that is the unprocessed message received via LMTP -- the only processing is adding the Received field from Mailman's LMTP processor. Mailman does not save the output of pipeline handlers to disk, instead passing the message from handler to handler as a Python object. If something goes wrong, it just starts the whole process again from the beginning with the queuefile in the out queue.
Steve
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan

Am 13.09.25 um 15:18 schrieb Stephen J. Turnbull:
MTAs like Postfix and Exim4 provide hooks for filtering email. I'm sure mailcow does too. You could put a filter that looks for a specific header or envelope parameter, and saves that message to a file.
Thanks for the tip, I'll test it out in the next few days. It'll take a while, so I'll get back to you later.
Matthias

Am 13.09.25 um 08:44 schrieb Stephen J. Turnbull:
I glad you found a solution to the immediate problem. However, that SPOOFED_NOAUTH error strongly suggests that whitelisting your own host(s) shouldn't be necessary. I can't think of a way where a future change in your configuration would result in problems, so there's no hurry, but I would like to know what rspamd was complaining about for future reference.
I've done a bit of testing and come to the following conclusion:
My DKIM, SPF, and DMARC settings are correct. Everything works perfectly on a mailing list that isn't anonymous. I also receive DMARC reports confirming this.
As soon as I change a test list to anonymous, I get a hit from my own RSPAMD (running on my MTA, mailcow), meaning the email isn't delivered to the list recipients.
The triggering rule states:
SPOOFED_UNAUTH (50) and is determined as follows:
(1) !MAILCOW_AUTH & (2) !MAILCOW_WHITE & (3) !RSPAMD_HOST & (4) !SIEVE_HOST & (5) MAILCOW_DOMAIN_HEADER_FROM & (6) !WHITELISTED_FWD_HOST & (7) -g+:policies (50)
This means that nothing is checked here with signatures (DKIM, ARC, SPF), etc.
(1) mailman and mailcow are integrated via a Docker network, meaning mailman is not logged in as SMTP user. In my case, this should always be TRUE (the sender is "not authorized"). (2), (3), (4), (6) Exception IPs that are allowed to send emails for various reasons. (5) This is FALSE for a non-anonymized list (which is why I don't have a problem with non-anonymized lists). For an anonymized list, this is TRUE.
As a solution, I now entered the delivering IP in (6) (this can be done via the Mailcow UI as a forwarding host). I had actually done this before and tried it without success. However, I made the mistake of specifying mailman's Docker network (172.29.199.0/24). In my scenario, the delivering IP is actually the gateway of mailcow's docker network (172.22.1.1). (Reminder: my scenario is described here: https://docs.mailcow.email/third_party/mailman3/third_party-mailman3/)
Conclusion: With the correct IP as the allowed forwarding host, it now works for me too.
That should be fine now – or have I missed something?

M. Ede via Mailman-users writes:
The triggering rule states:
SPOOFED_UNAUTH (50) and is determined as follows:
(1) !MAILCOW_AUTH & (2) !MAILCOW_WHITE & (3) !RSPAMD_HOST & (4) !SIEVE_HOST & (5) MAILCOW_DOMAIN_HEADER_FROM & (6) !WHITELISTED_FWD_HOST & (7) -g+:policies (50)
This means that nothing is checked here with signatures (DKIM, ARC, SPF), etc.
(1) mailman and mailcow are integrated via a Docker network, meaning mailman is not logged in as SMTP user. In my case, this should always be TRUE (the sender is "not authorized"). (2), (3), (4), (6) Exception IPs that are allowed to send emails for various reasons. (5) This is FALSE for a non-anonymized list (which is why I don't have a problem with non-anonymized lists). For an anonymized list, this is TRUE.
This analysis is correct.
As a solution, I now entered the delivering IP in (6) (this can be done via the Mailcow UI as a forwarding host).
This will work for you.
The only thing I might do different: I've set up a system where the MTA and Mailman are on different VMs, both visible from a large number of "internal" hosts, and the MTA visible from the public Internet. In that case I used SMTP AUTH both incoming and outgoing (paranoia, justified in the case of that client), but in your case with all the relevant nodes running in containers on a single host I don't think that even gives any extra security.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan

Am 15.09.25 um 18:49 schrieb Stephen J. Turnbull:
This will work for you.
The only thing I might do different: I've set up a system where the MTA and Mailman are on different VMs, both visible from a large number of "internal" hosts, and the MTA visible from the public Internet. In that case I used SMTP AUTH both incoming and outgoing (paranoia, justified in the case of that client), but in your case with all the relevant nodes running in containers on a single host I don't think that even gives any extra security.
Thank you very much for your assessment 🙂

On 9/11/25 02:42, M.Ede via Mailman-users wrote:
Thanks for the hint, I removed authentication-results header as well as arc-authentication-results with your patch, but rspamd still results in SPOOFED_UNAUTH.
I'm now investigating further why rspamd behaves this way.
DKIM signing happens when sending from a non anonymous list, but with anonymous something differs ...
I'm certain that the SPOOFED_UNAUT issue has nothing to do with any arc-* or authentication-results headers.
I strongly suspect that the issue is because there is no DKIM signature from the From: domain. You need to investigate your DKIM signing rules to see why and fix this.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan

My problem is not related to anonymous lists. But messages from my lists are blocked by mailcow/rspamd, unless I set "DMARC mitigation action" to "Wrap the message in an outer message From: the list".
Here is an example: HFILTER_HOSTNAME_UNKNOWN (8.5) R_SPF_FAIL (8) [-all] DMARC_POLICY_QUARANTINE (8) [mydomain.dk : No valid SPF, quarantine] R_DKIM_REJECT (8) [anotherdomain.dk:s=selector1] HFILTER_HELO_BADIP (4.5) [172.19.199.3, 1] VIOLATED_DIRECT_SPF (3.5) FORGED_W_BAD_POLICY (3) HTML_SHORT_LINK_IMG_1 (2) RDNS_NONE (2) ARC_REJECT (0.1) [signature check failed: fail, {[1] = sig:mydomain.dk:reject}] RCVD_NO_TLS_LAST (0.1) MIME_BASE64_TEXT (0.1) BAYES_SPAM (0.00002) [21.41%] RBL_SENDERSCORE_REPUT_9 (-1) [172.19.199.1:from] MAILLIST (-0.2) [mailman] MIME_GOOD (-0.1) [multipart/mixed, multipart/related, multipart/alternative, text/plain] HAS_LIST_UNSUB (-0.01) FROM_HAS_DN (0) RCPT_COUNT_ONE (0) [1] FROM_NEQ_ENVFROM (0) [test@mydomain.dk, test-bounces@mydomain.dk] TO_EQ_FROM (0) FORGED_SENDER_MAILLIST (0) RCVD_COUNT_THREE (0) [3] HAS_REPLYTO (0) [Jesper.Holck@anotherdomain.dk] PREVIOUSLY_DELIVERED (0) [test@mydomain.dk] REPLYTO_DOM_NEQ_FROM_DOM (0) REPLYTO_DOM_NEQ_TO_DOM (0) TO_DN_EQ_ADDR_ALL (0) FORGED_RECIPIENTS_MAILLIST (0) DKIM_TRACE (0) [anotherdomain.dk:-] MISSING_XM_UA (0) FORGED_SENDER (0) [test@mydomain.dk, test-bounces@mydomain.dk] MIME_TRACE (0) [0:+, 1:+, 2:+, 3:+, 4:~, 5:~, 6:+] TAGGED_RCPT (0) BCC (0)

jesper.holck--- via Mailman-users writes:
My problem is not related to anonymous lists. But messages from my lists are blocked by mailcow/rspamd, unless I set "DMARC mitigation action" to "Wrap the message in an outer message From: the list". Here is an example:
We really need to see the corresponding headers. We also need to know more about the configuration of your network (including VMs and containers), and where you're sending mail from. If you are going to substitute IP addresses, I recommend you do that consistently, and with a convention that it makes is easy to identify the public Internet (I use 10/8 addresses for this), your internal network (I use 172.16/12), and the Mailman host(s) (I use 192.168/16 addresses -- these are all just suggestions, and I've never had a problem ignoring the effect of netmasks on routing).[1]
I'm going to reorder the list for clarity.
HFILTER_HOSTNAME_UNKNOWN (8.5) HFILTER_HELO_BADIP (4.5) [172.19.199.3, 1] RDNS_NONE (2)
I guess "HFILTER" refers to the HELO command sent by Mailman to mailcow. "host 172.19.199.3" is a private IP address, so I suspect you are using Docker with multiple containers (different hosts as far as the mail software is concerned). I suspect you need to set up or reconfigure an internal DNS, or configure some kind of host list in Mailcow, to clear this. IIRC rspamd defaults to "reject on >= 15" so if RDNS is part of this group (I'm just guessing), this message is already rejected.
DMARC_POLICY_QUARANTINE (8) [mydomain.dk : No valid SPF, quarantine]
Apparently you have p=quarantine for mydomain.dk. Mail from mydomain.dk will need to have DMARC mitigation of some kind.
R_SPF_FAIL (8) [-all] R_DKIM_REJECT (8) [anotherdomain.dk:s=selector1]
I'd say these are normal, except that between them "reject > 15" is going to reject your message. I would guess that's an rspamd misconfiguration. Also, nothing in your description explains why anotherdomain.dk is signing the message. Is that your personal email provider where you send test messages?
VIOLATED_DIRECT_SPF (3.5) FORGED_W_BAD_POLICY (3)
Not sure what these mean, but the numbers are too big to ignore. Perhaps they'll be fixed in passing if you fix the issues above.
HTML_SHORT_LINK_IMG_1 (2)
You can't do much about this, but if your posters are using short links you might see if you can adjust that deduction down in rspamd.
Everything below is either favorable or you can ignore it as normal.
ARC_REJECT (0.1) [signature check failed: fail, {[1] = sig:mydomain.dk:reject}] RCVD_NO_TLS_LAST (0.1) MIME_BASE64_TEXT (0.1) BAYES_SPAM (0.00002) [21.41%] RBL_SENDERSCORE_REPUT_9 (-1) [172.19.199.1:from] MAILLIST (-0.2) [mailman] MIME_GOOD (-0.1) [multipart/mixed, multipart/related, multipart/alternative, text/plain] HAS_LIST_UNSUB (-0.01) FROM_HAS_DN (0) RCPT_COUNT_ONE (0) [1] FROM_NEQ_ENVFROM (0) [test@mydomain.dk, test-bounces@mydomain.dk] TO_EQ_FROM (0) FORGED_SENDER_MAILLIST (0) RCVD_COUNT_THREE (0) [3] HAS_REPLYTO (0) [Jesper.Holck@anotherdomain.dk] PREVIOUSLY_DELIVERED (0) [test@mydomain.dk] REPLYTO_DOM_NEQ_FROM_DOM (0) REPLYTO_DOM_NEQ_TO_DOM (0) TO_DN_EQ_ADDR_ALL (0) FORGED_RECIPIENTS_MAILLIST (0) DKIM_TRACE (0) [anotherdomain.dk:-] MISSING_XM_UA (0) FORGED_SENDER (0) [test@mydomain.dk, test-bounces@mydomain.dk] MIME_TRACE (0) [0:+, 1:+, 2:+, 3:+, 4:~, 5:~, 6:+] TAGGED_RCPT (0) BCC (0)
Footnotes: [1] I use 10/8, 172.16/12), and 192.168/16 addresses, respectively, for public, internal, and Mailman nodes. I've never had a problem ignoring the effect of netmasks on routing, it's all directly addressable. This works because when you've got a Docker network or similar, you can have network problems, but you'd never get to rspamd. These are all just suggestions, of course.
-- GNU Mailman consultant (installation, migration, customization) Sirius Open Source https://www.siriusopensource.com/ Software systems consulting in Europe, North America, and Japan
participants (5)
-
jesper.holck@ibsgaarden.dk
-
M. Ede
-
M.Ede
-
Mark Sapiro
-
Stephen J. Turnbull