On 24.02.25 10:45, Matthias Apitz wrote:
>
> Hi Stefan,
>
> >
> > grep ^DKIM mutt.mail
> > DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org <http://
> smtp1.osuosl.org> <http://
> > smtp1.osuosl.org <http://smtp1.osuosl.org>> C3A51819CC
> > DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org <http://
> smtp3.osuosl.org> <http://
> > smtp3.osuosl.org <http://smtp3.osuosl.org>> 5EB3A605E8
> > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
>
>
> not sure what you are try to tell us here - what is relevant is whether
> the signature (if there is one) still validates and whether those lists
> actually maintain List-* headers.
>
>
> The mail I sent to the mutt-users mailing list contains what my provider
> adds as DKIM-signature:
>
[...headers showing mailman forcibly removing dkim signatures...]
> ...
>
> Why postgresql.org <http://postgresql.org> can not do the same?
sorry to be blunt but that behaviour is completely broken in a modern
mail world (though it might have worked like 10+ years ago) - it looks
like that list is simply removing dkim signatures, per the standard that
means the signature is invalid (because an invalid signature is treated
the same as an unsigned).
Unsigned mails(these days SPF, DKIM and DMARFC are not optional any
more) are basically undeliverable at scale to all large mail providers
other than if you are a super low volume sender - so that is a complete
non-starter for us.
Also note that that particular mailinglist setup seems to be unsuitable
for large volumen lists to say google anyway because afaiks it does not
support RFC8058 which is a google requirement for large senders.
It might work for (no offense intended) for a super tiny mailinglist
like mutt-users@ with a 2 figure number of mails per month (and probaly
a very small amount of subscribers) but not for us where we have easily
100x if not more that volume.
Stefan
