Jaco Kroon via dovecot skrev den 2026-03-30 13:39:
Hi Aki,
Right.
X-Spam-Status: No, score=-9.7 tagged_above=-999 required=5
tests=[AUTHRES_DKIM_NONE=1.5, AUTHRES_DMARC_PASS=-1.5,
AUTHRES_SPF_PASS=-0.5,
AWL=-8.040, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, KAM_ASCII_DIVIDERS=0.64, MAILING_LIST_MULTI=-0.1,
RCVD_IN_DNSWL_MED=-2.3, RELAYCOUNTRY_BAD_ZA=1.5,
RELAYCOUNTRY_GOOD=-0.5,
SPF_HELO_PASS=-0.1, SPF_PASS=-0.1] autolearn=no autolearn_force=no
as my spamassassin see it :)
On 2026/03/30 12:05, Aki Tuomi wrote:
On 30/03/2026 12:12 EEST Jaco Kroon via dovecot <[email protected]>
wrote:
Hi,
It seems like the list system is breaking DKIM - triggering bounces,
resulting in unsuscribes.
Is there recommendations on how to deal with this?
Looks like it relates 100% to the addition of the footer:
-------- Forwarded Message --------
Subject: dovecot mailing list probe message
Date: Mon, 30 Mar 2026 06:32:58 +0000
From:
dovecot-bounces+a190cb9ae5d94d8fa6e2af68fc964a7aaa132...@dovecot.org
To: [email protected]
It seems like the list system is breaking DKIM - triggering
bounces,
resulting in unsuscribes.
Is there recommendations on how to deal with this?
Looks like it relates 100% to the addition of the footer:
It's using ARC-Signing, but ofc no one supports that. DMARC/DKIM and
mailing lists are super fun.
maillist could proactive reject if dmarc policy is not policy none
hopefully none are rejecting in dkim milters :/
Right. So looking at an example that did come through (Date: Mon, 30
Mar 2026 10:18:08 -0000; Message-ID:
<[email protected]>), the
original sender doesn't contain DKIM, so no ARC. There is, however, a
new DKIM signature with d=dovecot.org (which does pass).
I think there is potential sender impact here too, since the mailer
rewrites the From: email to [email protected] (which may affect DMARC
related checks). Sorry, still trying to figure all of this out, but
the number of DKIM failure's we're seeing overall are minimal.
Do you happen to have a good reference at hand you can point me to?
Google isn't being particularly helpful right now (will keep trying),
specifically related to the (I don't mind technical, but the RFCs on
the matter does seem to beat my brain's abstract ability a bit - so
slightly dumbed down technical version would be perfect, but not down
to the "what it is" only level that most guides seems to be at.
Not sure if this is the specific message that was bounced, but looking
at the exim logs for *an* example:
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy DKIM:
signers=dovecot.org:open-xchange.com, cur=dovecot.org, status=pass,
reason=, domain=dovecot.org, identity=, selector=mail, algo=rsa-sha256,
canon_body=relaxed, canon_headers=relaxed
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy DKIM:
signers=dovecot.org:open-xchange.com, cur=open-xchange.com,
status=fail, reason=bodyhash_mismatch, domain=open-xchange.com,
identity=, selector=s1dus, algo=rsa-sha256, canon_body=relaxed,
canon_headers=relaxed
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy H=talvi.dovecot.org
[94.237.105.223] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no rejected
DKIM : DKIM failure for d=open-xchange.com s=s1dus: bodyhash_mismatch
So the first DKIM signature is status pass, the latter fails, so one
strategy would be "at least one successful DKIM, or NO DKIM at all",
there are ARC headers present here as per below:
2026-03-30 12:26:27 1w79pC-000000005Fq-2soy H=talvi.dovecot.org
[94.237.105.223] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no rejected
DKIM : DKIM failure for d=open-xchange.com s=s1dus: bodyhash_mismatch
Envelope-from: <[email protected]>
ARC-Seal: i=1; s=arc; d=dovecot.org; t=1774866320; a=rsa-sha256;
cv=none;
b=EC90wsNC3CKIgTeRf2ABxGstdt+SN/33FsXEn7Bkh798TX/DNR7pqjp5+m/xdAsBa1thrP
KoM72A9bpjqDxqid9IIcB8oSrsQFShQah4szclrU86CiPg0MnKJSyfoRPgKg6PtCxel6I6
ky6HIDQ6R0F5rziQkeVgehZd70h1YNgmbiyYwqS7rj1Iq7s0ZZ3u14e/JXP2ONUWJKXPDj
k+l4Cnb/IeKXtvYIqQX1KM5z5T3XvS3RWtF8KDwy+fROVkxMGCKm8fFm3Bklj8viKybktQ
yhYZp+DjmneqKdLsKrUlOi4Ntp9ED4GdsBzHau+eKg/Uaekk3uN1jIG70OBVeA==
ARC-Authentication-Results: i=1;
talvi.dovecot.org;
dkim=pass header.d=open-xchange.com header.s=s1dus
header.b=GIYYG8yJ;
spf=pass (talvi.dovecot.org: domain of [email protected]
designates
89.163.165.132 as permitted sender)
[email protected];
dmarc=pass (policy=reject) header.from=open-xchange.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
d=dovecot.org;
s=arc; t=1774866320;
h=from:from:sender:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:mime-version:mime-version:
content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references:dkim-signature;
bh=x77+dfSTZ5Gi7j/lck5C4TlajJJes2HnylW7FXyR6uM=;
b=dzEMOMEBfGH+3qjkA5VJ1vWGcWv90o0WVbe6+ECAyWns++ptVADigE0D71Ohws1Hu3Ad4L
PW84V7Cg9/a6bwxCuoihtY3W0ytL2MEPwEn9BaijV4+Gyd3Dt3gxwL2c+LZCYECvbgHnzR
nBrV6XTuYe4tk0K6+qhC4Fk0Qdbm5PX1fz03U1gzCxR6ALDOjRKrhe+ygezFDu07UYDzuO
odoE5hl55zTtzh9oEQEHJ5+/pZ4S9t+bVG3e/1825DgAp5RH/Q+piSZ3gZSCkLYLOq5Klp
QoAJ9+uHLLCPoA0z0VcOI0hHs6Gwwf7tgRWZlcEtScId7ITRujmMcezKm2bHHA==
So should just be a matter of verifying those to get the
open-xchange.com signature to pass (or completely ignore it probably
based on the ARC headers) and perform relevant dmarc alignment checks
which I make note is also outstanding on the specific host).
all good
never reject maillist servers, never as never :=)
_______________________________________________
dovecot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
