![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/25/25 12:30, jerry.barnabee--- via Mailman-Users wrote:
CPANEL does all the heavy lifting for me - e.g. I don't have to add any code anywhere - the only thing that I have to do is make sure the correct spf, dkim and dmarc dns records exist on my name server for each of my domains- which they do. Pretty sure opendkim is not being used by CPANEL.
Then this is a cPanel issue.
Is python.org using mailman 2.x or 3.x ?
The reason I ask is that the email the python.org list sent out was DKIM signed correctly.
python.org has both Mailman 2 and Mailman 3 lists. This list is Mailman 3, , but that's irrelevant as all the DKIM signing is done by the MTA using opendkim.
The email I got from msapiro.net did not pass DKIM nor DMARC which is not always fatal - since I did get your email, but more email servers are starting to pay more attention to those failures - and causing those of use that use mailman to distribute emails to be getting more and more frustrated with things not being signed and causing failures of one kind or another .... I check if I can see any DKIM settings in EXIM - but there is a reason I use a WHM/CPANEL on my VPS servers - unix administration is not my strong suit ... about all I can say is that I do know how to spell unix .....
My post that you receive from the list should contain two DKIM signatures. One sig from the msapiro.net domain will be broken because of list transformations such as subject prefixing and addition of the list footer[1], but there will be another sig from the python.org domain which should be valid and the mail should pass DKIM. It won't pass DMARC because of From: domain misalignment, but msapiro.net publishes DMARC policy = none so it shouldn't matter.
[1]The broken DKIM sig should be ignored, From https://www.rfc-editor.org/rfc/rfc6376.html#section-6.1
INFORMATIVE NOTE: The rationale of this requirement is to permit
messages that have invalid signatures but also a valid signature
to work. For example, a mailing list exploder might opt to leave
the original submitter signature in place even though the exploder
knows that it is modifying the message in some way that will break
that signature, and the exploder inserts its own signature. In
this case, the message should succeed even in the presence of the
known-broken signature.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan