On 07/19/2018 02:37 PM, Grant Taylor via Mailman-Users wrote: > > I'd argue that it's best to: > > 1) Do all the typical DMARC, DKIM, SPF, etc. filtering on email inbound > to the mail server. > 2) Strip DKIM (related) headers from messages going into Mailman.
Mailman can be configured to remove DKIM related headers from incoming mail before sending. When first implemented, this was done unconditionally. There were strenuous objections, see the thread at <https://mail.python.org/pipermail/mailman-developers/2007-February/019346.html>, and removal was made conditional on REMOVE_DKIM_HEADERS which defaults to No. The bottom line is that the DKIM standard (RFC 6376) says that invalid signatures SHOULD NOT be treated differently fro no signature, and people feel the invalid signature may have forensic value. > 3) ...Mailman w/ DMARC friendly settings... > 4) Apply new DKIM signatures as messages leave the mail server. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org