So continuing the saga ... digging into /etc/postfix/header_checks I found a revision I made back in January to try to keep our outgoing email from having headers with the IP address of the email client that sent the email to the server and maybe keep Gmail from marking our outgoing email as SPAM.
/^Received:.*with ESMTPSA/ IGNORE /^X-Originating-IP:/ IGNORE /^X-Mailer:/ IGNORE /^Mime-Version:/ IGNORE If I comment that out and add mime_header_checks = regexp:/etc/postfix/header_checks header_checks = regexp:/etc/postfix/header_checks back into main.cf DKIM still appears to work properly. So, looks like I probably broke it back in January. Gack ... apparently I didn't test that revision correctly and it was rewriting incoming email headers. -Ken > On May 10, 2025, at 1:06 PM, Scott Kitterman via Postfix-users > <postfix-users@postfix.org> wrote: > > > > On May 10, 2025 5:57:34 PM UTC, Dan Mahoney via Postfix-users > <postfix-users@postfix.org> wrote: >> Mime-version was listed as a signed header but was absent. >> >> I suspect his header checks cleaned that out. >> >> Note that having a header listed in the H equals list, but having that >> header be absent is legal, but I don’t know why the signing software would >> say it’s signing that header when it’s not there. >> > > Generically (probably not relevant here), 'signing' a non-existent header > field will cause the signature verification to fail if one is later added. > There may be times when that's desirable. > > Scott K > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
