On Thu, Nov 19, 2015 at 06:16:16PM -0800, Rick Moen via luv-talk wrote:
Quoting Brian May via luv-talk (luv-talk@luv.asn.au):
Which provokes the question - why not fix Mailman so it doesn't break the DKIM on the original message?
My understanding: Because the sending IP has changed.
I might be missing something here, but the basic job of DKIM/DMARC or SPF is to provide a means of determining that the mail has arrived from an IP address authorised by the claimed sending domain's owner (what is in the internal SMTP 'From: ' header) as a legitimate sending point for outgoing mail.[1] The domain owner publishes this information in the domain's DNS.
You *might* be conflating DKIM with DMARC (and in particular its relationship with SPF) As you have stated, SPF only protects the SMTP envelope (via policy); whereas DKIM protects the message itself (via cryptographic signature). DMARC expects at least one (or both) of the above to pass, *and* that the domain(s) align with those in the "From:" header field. Both SPF/DMARC policy, and DKIM public keys; are all published via DNS. [...]