[Users] DKIM test...

[Slavko]

Dňa 9. 2. o 0:19 Pierre Fortin via Users napísal(a):

> 2. Get confirmation that CM does _not_ include DKIM header when sending
> mail; it leaves that to the MTA...   True?

CM itself has near nothing with DKIM, it is job for MTA to add/verify 
DKIM signature(s).

If you mean CM's ML, that is another thing. and yes, you are (partially) 
right, except that CM's ML adds it own DKIM signature, thus mails will 
have two, one from CM's ML and one from your MTA (i didn't investigate, 
if CM's signature is added always or only on some conditions).

Your original signature will fail verification, as CM's ML modifies body 
of message. The CM's ML signature will probably pass, but that is mostly 
pointless for DMARC, as its DKIM domain (d=) will not be aligned with 
From: domain...

Thus, if your domain has strict DMARC policy (p=quarantine/reject), 
people can (and often will) have troubles to get your messages.

The only solution for now is to add some WL entry on MTA level (where 
DKIM/DMARC is checked), but not all admins/systems are willing to do 
that. On my MTA (MX) i maintain list of MLs known to break DKIM/DMARC to 
prevent false positives (CM is not only one)...

I tried to point that problem here some months ago, but it was rejected 
as off topic, thus discussion about another possibilities didn't happen.

regards

-- 
Slavko