Mailing Lists seem to have some compliance issues with DKIM by design. Peter has tested that the situation is better with mailman 2.1.26 and possibly earlier versions. We are running a heavily patched version of mailman 2.1.15 from CentOS 7. The changelog does however not suggest that any major changes have been done about DKIM (https://bazaar.launchpad.net/~mailman-coders/mailman/2.1/changes/1744?start_revid=1744). I suspect that we already have one very important patch in our version of mailman (https://git.centos.org/tree/rpms!mailman.git/c7): https://git.centos.org/blob/rpms!mailman.git/c7/SOURCES!mailman-2.1.12-dmarc.patch Peter, can you confirm that this is the patch we need?
Mailman needs to be updated so I am afraid we will have to build it ourselves.
As far as I am concerned, if a mailing list does not alter messages by adding footers or rewriting subjects, Mailman is now DKIM-compliant. @Michael: Please confirm. :-)
(In reply to Peter Müller from comment #2) > @Michael: Please confirm. :-) Confirm what again?
Except for some mails which Mailman processes in a way it renders DKIM signatures invalid, it is now DMARC compliant. Unfortunately, this kind of thing does not seem to be reproducible or deterministic, so I am leaving this opened for further investigations.
I am not sure what we can do about this here. I do not want to wrap the messages into a new one. That brings all other sorts of problems. Sender: and the envelope sender should allow us to sign any messages. I am not sure if there is any improvement in Mailman 3, although I much more prefer Mailman 2.
Closing this as WORKSFORME, since we run a "quarantine" DMARC policy for quite some time now, and I am unaware of any DKIM-caused issues with it.