On Mon, Aug 17, 2015 at 10:55:53AM -0700, Quanah Gibson-Mount wrote: > However, there are two solutions to that allow adding a footer when list > subscribers may have DKIM signed email: > > a) As noted in the OpenDKIM README, in the "Mailing Lists" section, if the > list traffic is itself has DKIM signing in place, it will override the DKIM > signing done by the sender. This allows the footer modification to the > message to no longer be an issue.
This fixed the DKIM problem, not the DMARC issue. For DMARC the signature should come from the same as the From address. Since SPF is going to fail with your From, the receiver will need to see DKIM that matches the From. For DMARC either SPF or DKIM should be valid and match the From field, while for SPF and DKIM itself the From doesn't matter. So really the only options for DMARC are: - Do not touch either the signed headers or body at all, leave From intact, keep the DKIM signatures. But even then it might break. - Change the From. You can leave the DKIM signature in tact or remove it, it doesn't change anything. - Do not allow people with a p=reject DMARC policy on the list > b) Mailman can be configured to strip DKIM headers entirely from incoming > email. This is generally considered bad practice, but it does allow the > emails to get delivered to all list members w/o issue. No it doesn't, see above. The DMARC test should always fail if you do that. Kurt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev