On Sun, Apr 28, 2019 at 8:43 PM Bill Cole via mailop <mailop@mailop.org> wrote:
> On 28 Apr 2019, at 21:51, John Levine via mailop wrote: > > > Just to be clear, we all understand that these funky DKIM signatures > > have nothing to do with the reason that Google is rejecting mailop > > messages, right? > > I think so... > > I mean, I believe that you are correct in that a SPF record for the IPv6 > output would fix the problem without anyone making DKIM changes. > > HOWEVER: if I understand Simon's description of the rejection events > correctly, the trigger was specifically a message with a broken DKIM > signature which had not had its From munged (because the DMARC record > had p=none,) and that changing Mailman to munge ALL From headers fixed > the problem. This would imply that Google is doing something very > dubious in looking for "authentication." > Broken DKIM = no DKIM and the conversations around munging from headers or deleting DKIM header fields would all just result in more instances of "no DKIM". In any of those cases, the mail does not have valid domain authentication, is being delivered over IPv6 which has a "no auth --> no entry" policy and is accordingly rejected. Mailop either needs to implement ARC (there are solutions for that which work with Mailman 2 & 3), sign outgoing mail with its own DKIM signatures (along with header munging), or implement SPF authentication in order to have authentication. Or, as John has pointed out a few times, just deliver over IPv4. --Kurt
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
