On Fri 17/Feb/2023 17:07:33 +0100 Patrick Ben Koetter wrote:
Greetings,
I'm about to setup a new mailing list server. It will use Mailman 3, which is
able to add ARC signatures to incoming messages. The lists will also rewrite
the From:-header and to match the lists name and domain. I'm unsure if
outbound messages should also be DKIM signed or does it suffice to add ARC
signatures?
The reason ARC was proposed is to avoid rewriting the From: header. If you're
willing to experiment on this, you can create two sibling lists[*], one of
which rewrites From: while the other does not. Subscribers choose which list
the prefer, based on their MTA capability of redeeming a broken DKIM after ARC
reports it was good on arrival. You're better off testing MTA capabilities
before allowing subscriptions on the non-munging list.
Only the non-munging list requires ARC. Anyway, beware of Mailman's ARC
implementation. It was coded as a proof of concept, but is not to be used in
production. Indeed, you need an ARC-signer which trusts the
Authentication-Results obtained by the bastion host and, after list
transformations, turns them into ARC-Authentication-Results. Mailman cannot
verify SPF.
ARC is experimental. If you don't want to experiment, there's no reason to use
it. DKIM is enough.
Best
Ale
--
[*] The suggested method to manage two sibling lists is to put them as
sub-lists under an umbrella list. The latter has the former two as its only
subscribers, and won't accept more. Both sibling lists accept subscribers
under the site and list policy. The umbrella list accepts posts. The sibling
lists don't, and advertise the umbrella list as the destination for posts. (It
would be simpler if mailman had a subscriber option about From: munging, but
they won't develop it if nobody tries it, a chicken and egg problem.)
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
