Quoting Brian May via luv-talk (luv-talk@luv.asn.au):
Which provokes the question - why not fix Mailman so it doesn't break the DKIM on the original message?
My understanding: Because the sending IP has changed. I might be missing something here, but the basic job of DKIM/DMARC or SPF is to provide a means of determining that the mail has arrived from an IP address authorised by the claimed sending domain's owner (what is in the internal SMTP 'From: ' header) as a legitimate sending point for outgoing mail.[1] The domain owner publishes this information in the domain's DNS. When I send a mail (bearing sending domain linuxmafia.com) to a LUV mailing list, it originates from my server's IP, 198.144.195.186. Any receiving MTA such as LUV's on the MX for luv.asn.au, can check my domain's published SPF record: $ dig -t txt linuxmafia.com +short "v=spf1 a mx -all" $ That says 'You should consider to be arriving from an authorised IP any mail from an IP matching my "A" or "MX" record.' $ dig -t mx linuxmafia.com +short 10 linuxmafia.com. $ dig -t a linuxmafia.com +short 198.144.195.186 $ Et voila. It matches. _Unfortunately_, upon retransmission by luv.asn.au, and re-mailed out to all mailing list subscribers, this time it arrives at the destination MTAs (for the subscribers) from luv.asn.au's IP address, 202.158.218.240. 202.158.218.240 is _not_ a match for sending domain linuxmafia.com's list of authorised sending IPs. So, if the claimed sending domain in the internal SMTP 'From: ' header still says linuxmafia.com, it can no longer pass an SPF check. I've used SPF for this example because my domain's DNS doesn't (yet) publish DKIM or DMARC records, and because I'm more familiar with SPF at this time.
I don't have the references handy, I apologise in advance if I got the above wrong.
Likewise. (it's been a long day here, I'm dead-tired, and also I'm short on time to study this. Sorry.) -- Cheers, (morganj): 0 is false and 1 is true, correct? Rick Moen (alec_eso): 1, morganj rick@linuxmafia.com (morganj): bastard. McQ! (4x80) -- seen on IRC