On Fri, Aug 13, 2021 at 01:31:05PM -0400, Wietse Venema <wie...@porcupine.org> wrote:
> post...@ptld.com: > > > Domain alignment is essential to DMARC. DMARC always refers to the > > > From header domain. SPF validates the envelope sender (MailFrom) > > > domain. DKIM can validate any domain, even one not used anywhere else > > > in the message. For DMARC to succeed, the From header domain must > > > align with a domain whose validation mechanism succeeds. > > > > All of that makes sense. Anyone know why a sizeable percentage of emails > > from the dovecot mailing list fail dmarc? Is dovecot doing something > > wrong or is it users with improperly setup dkim keys? Because it seems > > like mail from the postfix mailing list always pass dmarc. > > The Postfix list uses Majordomo. It adds Sender and List- headers, > As long as the original DKIM signature did not cover such headers, > the signature will continue to validate. > > Wietse Lots of mailing lists add a bit of list-related text at the end of each message (even though the same information is in List- headers as well). That renders DKIM signatures invalid. Perhaps the dovecot list does that. It doesn't seem to, looking at the archives. Looking at your "Why do so many dovecot list mails fail dmarc?" message on that list: The From: domain is protonmail.ch The Envelope sender domain is dovecot.org so SPF doesn't contribute to DMARC. The DKIM signing domain is protonmail.ch so it can contribute to DMARC. The headers that are included in the DKIM signature are: h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; And I can see: X-Original-To: dove...@dovecot.org To: Aki Tuomi <aki....@open-xchange.com> That looks to me like the To header was changed by the mailing list software from the list address to the list member's address, and that rendered the DKIM signature invalid. If To: was removed from the list of DKIM-signed headers, then it could pass a DMARC check, but that's probably a bad idea. A better solution would be for the mailing list software to leave the To: header alone and only use the list member's addresses in the envelope. But presumably, that's not going to happen. cheers, raf