List manager software destroys both SPF and DKIM causing list mail to be rejected

Gateway
1

See this. (report is at the bottom of this email)
Apparently, your list software destroys both SPF and DKIM signatures causing rejects.

Since you repackage S/MIME mail to avoid breaking S/MIME, I would suggest doing the same
to avoid breaking SPF, eg repackage the mail in a new message/rfc822 container like this, and
also DKIM sign the repackaged mail, and also strip the invalid DKIM sig out.
A good idea can be then to put up a DKIM, SPF and DMARC record for lists.djigzo.com.
Then both SPF and DKIM will be verified against the domain “lists.djigzo.com”, not the sender domain, since the SPF/DKIM validator will always validate
mail on the outermost container:

···

From: users(a)lists.djigzo.com
To: <receiver of list mail>
Subject: Fwd: [original subject]
Content-Type: message/rfc822; boundary=”1234”;

--1234
From: sebastian(a)sebbe.eu
To: <receiver of list mail>
Subject: [original subject]
Content-Type: text/plain

Hello this is a test
--1234--

Here is the report I got from Yahoo:

<?xml version="1.0"?>
-<feedback>
-<report_metadata>
<org_name>Yahoo! Inc.</org_name>
<email>postmaster(a)dmarc.yahoo.com</email>
<report_id>1426038669.132883</report_id>
-<date_range>
<begin>1425945600</begin>
<end>1426031999 </end>
</date_range>
</report_metadata>
-<policy_published>
<domain>sebbe.eu</domain>
<adkim>s</adkim>
<aspf>s</aspf>
<p>reject</p>
<pct>100</pct>
</policy_published>
-<record>
-<row>
<source_ip>87.233.242.72</source_ip>
<count>1</count>
-<policy_evaluated>
<disposition>reject</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
-<identifiers>
<header_from>sebbe.eu</header_from>
</identifiers>
-<auth_results>
-<dkim>
<domain>sebbe.eu</domain>
<result>permerror</result>
</dkim>
-<spf>
<domain>lists.djigzo.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>

2

The problem is unfortunately not so easy to solve. For one we use
mailman for the mailing list and this is not created by us. In order to
repackage as you suggested, this should be added to mailman. The
repackaging of S/MIME is done at the receiver side, not at the sender
side. In this case it should be changed on the sender side (i.e., mailman).

See this page DEV/DKIM - Mailman Wiki for more discussion about
DKIM and mailman.

One option might be to strip the DKIM signature, although according the
the above page, some think this is not a good thing to do.

Kind regards,

Martijn Brinkers

···

On 03/11/2015 08:08 PM, Sebastian Nielsen wrote:

See this. (report is at the bottom of this email) Apparently, your
list software destroys both SPF and DKIM signatures causing rejects.

Since you repackage S/MIME mail to avoid breaking S/MIME, I would
suggest doing the same to avoid breaking SPF, eg repackage the mail
in a new message/rfc822 container like this, and also DKIM sign the
repackaged mail, and also strip the invalid DKIM sig out. A good idea
can be then to put up a DKIM, SPF and DMARC record for
lists.djigzo.com. Then both SPF and DKIM will be verified against the
domain “lists.djigzo.com”, not the sender domain, since the SPF/DKIM
validator will always validate mail on the outermost container:

--
CipherMail email encryption

Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF messaging.

Twitter: http://twitter.com/CipherMail