Hi,
just wondering, wouldn't it be significantly better to only modify
headers and double-sign when the original message's DKIM signature
doesn't pass? Absolutely correct me if I'm mistaken, but this would keep
DMARC (if it also exists) valid and detach the mailing lists' reputation
from the message, probably making deliverability better. If the senders
have a proper setup.
ARC on top of that would be a nice clear indication that it has been
forwarded in some way and DKIM would say it's not lying. The rest of the
letters' senders can be rewritten.
Or are SPF (hard)fails too strong of a negative signal in most cases
that these DKIM-signed messages wouldn't be accepted?
Taavi
On 14/06/2022 19:51, Ken O'Driscoll via mailop wrote:
Hi Axel,
I would suggest:
* Make sure that the list's 5321.From (return-path/envelope/MAILFROM) domain
has a valid and restrictive SPF
* DKIM sign all list messages with your own key
* Use different DKIM keypairs for each list
* Don’t modify the originally message body (e.g., adding in a list footer etc.)
* If the sender's domain has DMARC with an enforcing policy
(p=quarantine/reject) then rewrite the 5322.From to use the list's domain
Not modifying the body of the message will give any original DKIM message
signature the best chance of preserving validity.
Signing with your own DKIM key will create an additional reputation data point
for message filters, which will help over time.
DMARC won't survive a MLM, so you have to rewrite the From to give the message
a chance of being received. Your own DKIM signature will still be valid.
Implementing ARC wouldn't hurt, but don't expect it to magically fix anything.
Your ARC set still needs to be trusted by message filters which implement ARC
and there is no centralised mechanism to facilitate this yet. Larger providers
may use ML to trust particular ARC header sets but who knows.
I wouldn't suggest that you implement DMARC on your list domain as it won't
help with deliverability and will just cause more issues. It's not really
designed for mailing lists.
Ken.
-----Original Message-----
From: mailop <mailop-boun...@mailop.org> On Behalf Of Axel Rau via
mailop
Sent: Tuesday 14 June 2022 16:51
To: Paul Vixie via mailop <mailop@mailop.org>
Subject: [mailop] Best practice for mailing list servers
Hi all,
I’m running a mailman3 site with several small mailing lists.
Today Google let all mails without DKIM sig bounce.
Other ESPs refuse my mails because of brokem DKIM sig.
Currently the listserver does not DKIM-sign nor remove DKIM-sigs.
It seems, that mails with DKIM-sig (from the author domain, but broken
bei the list server) are accepted by Google.
Should I adopt ARC?
Along with DMARC?
What is best practice in 2022?
Any help appreciated,
Axel
---
PGP-Key: CDE74120 ☀ computing @ chaos claudius
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
