Hi Aki,
Right.
On 2026/03/30 12:05, Aki Tuomi wrote:
On 30/03/2026 12:12 EEST Jaco Kroon via dovecot <[email protected]> wrote:
Hi,
It seems like the list system is breaking DKIM - triggering bounces,
resulting in unsuscribes.
Is there recommendations on how to deal with this?
Looks like it relates 100% to the addition of the footer:
______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Kind regards,
Jaco
-------- Forwarded Message --------
Subject: dovecot mailing list probe message
Date: Mon, 30 Mar 2026 06:32:58 +0000
From: dovecot-bounces+a190cb9ae5d94d8fa6e2af68fc964a7aaa132...@dovecot.org
To: [email protected]
It seems like the list system is breaking DKIM - triggering bounces,
resulting in unsuscribes.
Is there recommendations on how to deal with this?
Looks like it relates 100% to the addition of the footer:
It's using ARC-Signing, but ofc no one supports that. DMARC/DKIM and mailing
lists are super fun.
Right. So looking at an example that did come through (Date: Mon, 30
Mar 2026 10:18:08 -0000; Message-ID:
<[email protected]>), the
original sender doesn't contain DKIM, so no ARC. There is, however, a
new DKIM signature with d=dovecot.org (which does pass).
I think there is potential sender impact here too, since the mailer
rewrites the From: email to [email protected] (which may affect DMARC
related checks). Sorry, still trying to figure all of this out, but the
number of DKIM failure's we're seeing overall are minimal.
Do you happen to have a good reference at hand you can point me to?
Google isn't being particularly helpful right now (will keep trying),
specifically related to the (I don't mind technical, but the RFCs on the
matter does seem to beat my brain's abstract ability a bit - so
slightly dumbed down technical version would be perfect, but not down to
the "what it is" only level that most guides seems to be at.
Not sure if this is the specific message that was bounced, but looking
at the exim logs for *an* example:
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy DKIM:
signers=dovecot.org:open-xchange.com, cur=dovecot.org, status=pass,
reason=, domain=dovecot.org, identity=, selector=mail, algo=rsa-sha256,
canon_body=relaxed, canon_headers=relaxed
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy DKIM:
signers=dovecot.org:open-xchange.com, cur=open-xchange.com, status=fail,
reason=bodyhash_mismatch, domain=open-xchange.com, identity=,
selector=s1dus, algo=rsa-sha256, canon_body=relaxed, canon_headers=relaxed
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy H=talvi.dovecot.org
[94.237.105.223] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no rejected DKIM
: DKIM failure for d=open-xchange.com s=s1dus: bodyhash_mismatch
So the first DKIM signature is status pass, the latter fails, so one
strategy would be "at least one successful DKIM, or NO DKIM at all",
there are ARC headers present here as per below:
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy H=talvi.dovecot.org
[94.237.105.223] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no rejected DKIM
: DKIM failure for d=open-xchange.com s=s1dus: bodyhash_mismatch
Envelope-from: <[email protected]>
ARC-Seal: i=1; s=arc; d=dovecot.org; t=1774866320; a=rsa-sha256; cv=none;
b=EC90wsNC3CKIgTeRf2ABxGstdt+SN/33FsXEn7Bkh798TX/DNR7pqjp5+m/xdAsBa1thrP
KoM72A9bpjqDxqid9IIcB8oSrsQFShQah4szclrU86CiPg0MnKJSyfoRPgKg6PtCxel6I6
ky6HIDQ6R0F5rziQkeVgehZd70h1YNgmbiyYwqS7rj1Iq7s0ZZ3u14e/JXP2ONUWJKXPDj
k+l4Cnb/IeKXtvYIqQX1KM5z5T3XvS3RWtF8KDwy+fROVkxMGCKm8fFm3Bklj8viKybktQ
yhYZp+DjmneqKdLsKrUlOi4Ntp9ED4GdsBzHau+eKg/Uaekk3uN1jIG70OBVeA==
ARC-Authentication-Results: i=1;
talvi.dovecot.org;
dkim=pass header.d=open-xchange.com header.s=s1dus header.b=GIYYG8yJ;
spf=pass (talvi.dovecot.org: domain of [email protected]
designates
89.163.165.132 as permitted sender)
[email protected];
dmarc=pass (policy=reject) header.from=open-xchange.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=dovecot.org;
s=arc; t=1774866320;
h=from:from:sender:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:mime-version:mime-version:
content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=x77+dfSTZ5Gi7j/lck5C4TlajJJes2HnylW7FXyR6uM=;
b=dzEMOMEBfGH+3qjkA5VJ1vWGcWv90o0WVbe6+ECAyWns++ptVADigE0D71Ohws1Hu3Ad4L
PW84V7Cg9/a6bwxCuoihtY3W0ytL2MEPwEn9BaijV4+Gyd3Dt3gxwL2c+LZCYECvbgHnzR
nBrV6XTuYe4tk0K6+qhC4Fk0Qdbm5PX1fz03U1gzCxR6ALDOjRKrhe+ygezFDu07UYDzuO
odoE5hl55zTtzh9oEQEHJ5+/pZ4S9t+bVG3e/1825DgAp5RH/Q+piSZ3gZSCkLYLOq5Klp
QoAJ9+uHLLCPoA0z0VcOI0hHs6Gwwf7tgRWZlcEtScId7ITRujmMcezKm2bHHA==
So should just be a matter of verifying those to get the
open-xchange.com signature to pass (or completely ignore it probably
based on the ARC headers) and perform relevant dmarc alignment checks
which I make note is also outstanding on the specific host).
Kind regards,
Jaco
Aki
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
