Some MTAs are known to break DKIM when doing a simple forwarding. Your failure reports may give you enough information to know what is happening at some IPs.
On Sat, Feb 13, 2016 at 3:34 AM, Ben Greenfield via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Hey All, > > Sorry I didn’t not realize what the question might touch off. I have been > following the discussion and watching my traffic and I have come up with > this theory. > > Looking over my reports I see I get 100% DMARC & SPF coverage with only > 71% DKIM coverage. > I’m assuming the DKIM coverage loss represents traffic to list-servs > rather then a configuration issue on my end. > > Is that Plausible. > > > Thanks, > > Ben > > > On Feb 7, 2016, at 1:10 PM, Al Iverson via dmarc-discuss < > dmarc-discuss@dmarc.org> wrote: > > > > The mailing list question can be a bit tricky. Yeah, the DKIM > > signature is supposed to transport just fine, unless your MLM rewrites > > any header or content that breaks the signature. And when you deal > > with that, eventually you're going to run into list subscribers whose > > posts get rejected by some other subscribers, due to the poster's > > domain having a P=reject DMARC policy. > > > > I would say there's not a clear consensus on how best to handle > > mailing lists in a DKIM+DMARC world. A bunch of email folks are > > working on a standard called Authenticated Received Chain (ARC) that > > would in theory help to address issues with mailing lists. (See > > http://arc-spec.org/ ). But, we're a ways from being able to call that > > a solution. > > > > I'm a mailing list operator myself, at probably about the same level > > you are. (Instead of Mailman, I run a custom MLM that I wrote myself, > > mostly as a programming exercise.) What I have chosen to do is strip > > an existing DKIM signature, rewrite the from address if it appears to > > be a domain that has a restrictive DMARC policy, and then sign it with > > DKIM as the list domain. This works well for me, but not everybody > > agrees that it's the best path. I'm not the only one to have done > > something similar; Yahoo Groups, Google Groups Mail-list.com and > > OnlineGroups.net all send as the group instead of as the poster either > > all the time or as needed; and mailman can be configured similarly. > > > > Here's a link to an overview of the various issues in play for mailing > > lists, and info on what I and others have chosen to do to address it. > > http://www.spamresource.com/2015/02/dmarc-mailing-lists-roundup.html > > > > Here's where to go to learn more about what you can do with Mailman: > > http://wiki.list.org/DEV/DMARC > > > > Note: There will probably be at least one really angry reply to this > > post telling me how horrible this is and that I broke mailing lists. > > It'll be a rehash of an argument from more than a year ago. Truth be > > told, somebody else broke mailing lists; this is just how I personally > > decided to implement a fix that seems to work well for me. YMMV. > > > > Regards, > > Al Iverson > > > > -- > > Al Iverson - Minneapolis - (312) 275-0130 > > Simple DNS Tools since 2008: xnnd.com > > www.spamresource.com & aliverson.com > > _______________________________________________ > > dmarc-discuss mailing list > > dmarc-discuss@dmarc.org > > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
