Hi, > i noted that it's possible to get dmarc fail on postfix maillist > > its spf none, dkim none, dmarc fail, in my tests, arc is not tested or > planned to be in use
I tested your two emails for DKIM, and both failed for me. The ones by Noel and Ralph did get through. I used dkimverify.py from the dkimpy package, and copy/paste to get the message source in. A difference between your DKIM-Signature and the others' is that you have set c=simple/simple where the others use c=relaxed/relaxed and c=relaxed/simple. As a result of this, you are picking on whitespace modifications in the headers while the others are not: To satisfy all requirements, two canonicalization algorithms are defined for each of the header and the body: a "simple" algorithm that tolerates almost no modification and a "relaxed" algorithm that tolerates common modifications such as whitespace replacement and header field line rewrapping. [Section 3.4 of RFC6376 on DKIM Signatures] I didn't see any changes in whitespace in my postings to this list, but that may also be due to normalisation in the spam filter through which both outgoing and incoming messages pass. -Rick