![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
Is there any work around that can add a valid DKIM signature to outgoing mailman 2.x emails.
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/25/25 10:07, jerry.barnabee--- via Mailman-Users wrote:
Is there any work around that can add a valid DKIM signature to outgoing mailman 2.x emails.
You need to configure your outgoing MTA to DKIM sign the mail.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
The MTA is already set up to dkim sign messages - my php scripts that use the "mail" command to send out email messages get a DKIM signature, all the system generated emails get a DKIM signature. But mailman sent emails do not.
For some reason mailman is not sending the emails out thru the same process. I had read that it was because mailman does not use SMTP to send them and that is why they aren't signed ...
JerryB
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/25/25 11:32, jerry.barnabee--- via Mailman-Users wrote:
The MTA is already set up to dkim sign messages - my php scripts that use the "mail" command to send out email messages get a DKIM signature, all the system generated emails get a DKIM signature. But mailman sent emails do not.
For some reason mailman is not sending the emails out thru the same process. I had read that it was because mailman does not use SMTP to send them and that is why they aren't signed ...
Mailman does use SMTP to send the mail.
If you are using opendkim in your MTA to DKIM sign, you may need something like
SenderHeaders List-Post,Sender,From
in your opendkim.conf. I.e., you need to reference a header that always contains the list domain.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
CPANEL does all the heavy lifting for me - e.g. I don't have to add any code anywhere - the only thing that I have to do is make sure the correct spf, dkim and dmarc dns records exist on my name server for each of my domains- which they do. Pretty sure opendkim is not being used by CPANEL.
Is python.org using mailman 2.x or 3.x ?
The reason I ask is that the email the python.org list sent out was DKIM signed correctly. The email I got from msapiro.net did not pass DKIM nor DMARC which is not always fatal - since I did get your email, but more email servers are starting to pay more attention to those failures - and causing those of use that use mailman to distribute emails to be getting more and more frustrated with things not being signed and causing failures of one kind or another .... I check if I can see any DKIM settings in EXIM - but there is a reason I use a WHM/CPANEL on my VPS servers - unix administration is not my strong suit ... about all I can say is that I do know how to spell unix .....
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/25/25 12:30, jerry.barnabee--- via Mailman-Users wrote:
CPANEL does all the heavy lifting for me - e.g. I don't have to add any code anywhere - the only thing that I have to do is make sure the correct spf, dkim and dmarc dns records exist on my name server for each of my domains- which they do. Pretty sure opendkim is not being used by CPANEL.
Then this is a cPanel issue.
Is python.org using mailman 2.x or 3.x ?
The reason I ask is that the email the python.org list sent out was DKIM signed correctly.
python.org has both Mailman 2 and Mailman 3 lists. This list is Mailman 3, , but that's irrelevant as all the DKIM signing is done by the MTA using opendkim.
The email I got from msapiro.net did not pass DKIM nor DMARC which is not always fatal - since I did get your email, but more email servers are starting to pay more attention to those failures - and causing those of use that use mailman to distribute emails to be getting more and more frustrated with things not being signed and causing failures of one kind or another .... I check if I can see any DKIM settings in EXIM - but there is a reason I use a WHM/CPANEL on my VPS servers - unix administration is not my strong suit ... about all I can say is that I do know how to spell unix .....
My post that you receive from the list should contain two DKIM signatures. One sig from the msapiro.net domain will be broken because of list transformations such as subject prefixing and addition of the list footer[1], but there will be another sig from the python.org domain which should be valid and the mail should pass DKIM. It won't pass DMARC because of From: domain misalignment, but msapiro.net publishes DMARC policy = none so it shouldn't matter.
[1]The broken DKIM sig should be ignored, From https://www.rfc-editor.org/rfc/rfc6376.html#section-6.1
INFORMATIVE NOTE: The rationale of this requirement is to permit
messages that have invalid signatures but also a valid signature
to work. For example, a mailing list exploder might opt to leave
the original submitter signature in place even though the exploder
knows that it is modifying the message in some way that will break
that signature, and the exploder inserts its own signature. In
this case, the message should succeed even in the presence of the
known-broken signature.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/395215a635f89ee4fd6d9dfe8453afae.jpg?s=120&d=mm&r=g)
jerry.barnabee--- via Mailman-Users writes:
I assume that cPanel uses *something*, and that it's reasonably sane by default. The combination of Mailman and cPanel is common enough that I expect we would be inundated with complaints about DKIM if it wasn't. Unfortunately, cPanel doesn't seem to provide publicly available documentation, so I can't say more than that.
I check if I can see any DKIM settings in EXIM
Exim4 (unlike Postfix and Sendmail) does implement DKIM itself. It uses different criteria (probably settings in individual router or transport stanzas?) to determine how to sign a message. As far as I can see, there's nothing like the SenderHeaders parameter Mark mentioned. The documentation for current Exim4 and DKIM is in https://exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_srs_and_dm... It looks pretty straightforward (but I haven't configured an Exim4 system in a decade).
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
Stephen,
Thanks for your reply. I am replying directly to your email as I didn't see your reply in the threads of my original post.
My guess is that you are not getting complaints because it is just recently that the big name email servers (gmail, yahoo, icloud, microsoft) have just recently started enforcing the DKIM standard and what makes it worse is that they all seem to be taking different approaches to that enforcement. Could also be that most of the mailman users are using mailman 3.xx - but unfortunately CPANEL does not support that version - they recently let me know that they are going to continue to support mailman 2.xx even though it is no longer being maintained by python so hopefully we can get them involved in finding a solution.
In my environment (WHM/CPANEL) mailman version 2.1.39 is not DKIM signing the mailman emails. All other emails that my domains send out are being DKIM signed - so it looks like EXIM is doing it's job on all outgoing mail except that being sent by mailman ...
I have added you to a mailing list on my test server and will send a message out. You will see that it does not have a DKIM signature from the domain that is sending the emails out - that is if you get the email at all - I can see if your email server rejects the email - but if it does I can not see if it actually makes it to your inbox .
I will send you a separate email letting you know that I sent a message thru the mailing list - so if it does not make it to your inbox you can check your spam/junk folder.
My VPS is OS Alma Lunix 9.x on which I installed WHM/CPANEL (124.0.23), CloudLinux 9.5 and Imunify 360.
So i just sent out a message via a mailman list (members@template.missoucimasternaturalists.org <mailto:members@template.missoucimasternaturalists.org>) - lets see if you get it.
My server tells me it made it to your email server and was accepted.
JerryB
![](https://secure.gravatar.com/avatar/395215a635f89ee4fd6d9dfe8453afae.jpg?s=120&d=mm&r=g)
Jerry Barnabee via Mailman-Users writes:
Thanks for your reply. I am replying directly to your email as I didn't see your reply in the threads of my original post.
It's there in the archive. I recently retired and they cut off my email for several months (despite being reemployed part-time), so U may have been unsubscribed. For that reason it may have been held for approval by the moderators.
DMARC is ten years old: there was a huge kerfluffle in April 2014 when DMARC p=reject was rolled out by Yahoo! and AOL early the development of the standard. DKIM itself is several years older, depending on how you count earlier DomainKeys standards.
I am pretty sure that if there were a widespread problem we *would* hear about it frequently because we do get a lot of traffic about problems that Mailman can do nothing about, but only show up with Mailman because related software is not working correctly or remote sites have a list-unfriendly policy.
and what makes it worse is that they all seem to be taking different approaches to that enforcement.
This is true. Google is especially pernicious, as they advertise p=none but then turn around and enforce it on their own users.
Could also be that most of the mailman users are using mailman 3.xx
Irrelevant. Neither Mailman 2 nor Mailman 3 supports DKIM signing. Sufficiently recent versions of both support "via $LIST" rewriting of the From header, which should get you past DMARC. But you need to do the outgoing DKIM signatures yourself. As Mark said, the best way to do DKIM signature is via the MTA.
In my environment (WHM/CPANEL) mailman version 2.1.39 is not DKIM signing the mailman emails.
No version of Mailman we distribute does DKIM signing. That's an MTA function.
Then that's an Exim configuration problem. You have an MTA that does DKIM signing, you just need to persuade it to sign Mailman traffic.
Yes I saw that post, and confirmed it has no DKIM signature. I did not expect one, since you reported that as a problem. I haven't seen the separate email you said you would send, though.
My VPS is OS Alma Lunix 9.x on which I installed WHM/CPANEL (124.0.23), CloudLinux 9.5 and Imunify 360.
None of this is likely to be relevant to the issue. What I would really like to see is your Exim configuration (the whole thing). If you worry about exposing it to the public, you can send it to me by direct mail. If there are sensitive parts, you can redact them but it would be a good idea to explain what was in the redacted parts.
Steve
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
When I look at "email sent summary" (see below) it shows that the other email made it to and was accepted by your email server ... so since it is not in your inbox it should be in your spam/junk folder ... the message got set via the mailing list: members@template.missourimasternaturalists.org
I sent you the exim configs in a separate email as you suggested.
JerryB
Event: success success Sender User: -remote- Sender Domain: From Address: members-bounces@template.missourimasternaturalists.org Sender: Sent Time: Jan 28, 2025, 10:38:10 AM Sender Host: Sender IP: Authentication: localdelivery Spam Score: Recipient: turnbull@sk.tsukuba.ac.jp Delivered To: turnbull@sk.tsukuba.ac.jp Delivery User: -remote- Delivery Domain: Router: dkim_lookuphost Transport: dkim_remote_smtp Out Time: Jan 28, 2025, 10:38:10 AM ID: 1tcobl-00000003JyD-2Leu Delivery Host: smtpgwin.cc.tsukuba.ac.jp Delivery IP: 207.54.83.63 Size: 79.83 KB Result: Accepted
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/28/25 11:55, jerry.barnabee--- via Mailman-Users wrote:
So this is mail from a list.
...
Router: dkim_lookuphost Transport: dkim_remote_smtp
And this transport seems by its name to be one that should be doing DKIM signing so something in the configuration of that transport is skipping the DKIM signing for Mailman list mail or perhaps the mail which is signed uses a different transport in which case, the issue may be in the router. Does the dkim_domain setting in the transport include the list domain?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
Here is the code that Is in the exim.conf - but looks like greek to me :) I do know that all of the domains are listed and have correct dkim entries in the dns. Do you know of anyone that actually has a mailman 2.1.39 installation that does add dkim signatures to the mailman emails ? Thanks, JerryB
mailman_virtual_transport:
driver = pipe
command = /usr/local/cpanel/3rdparty/mailman/mail/mailman
'${if def:local_part_suffix
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}}
{post}}'
${perl{untaint}{${lc:$local_part}_${lc:$domain}}}
current_directory = /usr/local/cpanel/3rdparty/mailman
home_directory = /usr/local/cpanel/3rdparty/mailman
user = mailman
group = mailman
mailman_virtual_transport_nodns:
driver = pipe
command = /usr/local/cpanel/3rdparty/mailman/mail/mailman
'${if def:local_part_suffix
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}}
{post}}'
${perl{untaint}{${lc:$local_part}}}
current_directory = /usr/local/cpanel/3rdparty/mailman
home_directory = /usr/local/cpanel/3rdparty/mailman
user = mailman
group = mailman
=========
dkim_remote_smtp:
driver = smtp
interface = <; ${if >
{${extract
{size}
{${stat:/etc/mailips}}
}}
{0}
{${lookup
{${lc:${perl{get_message_sender_domain}}}}
lsearch{/etc/mailips}
{$value}
{${lookup
{${if match_domain
{$original_domain}
{+relay_domains}
{${lc:$original_domain}}
{}
}}
lsearch{/etc/mailips}
{$value}
{${lookup
{${perl{get_sender_from_uid}}}
lsearch*{/etc/mailips}
{$value}
{}
}}
}}
}}
}
helo_data = ${if >
{${extract{size}{${stat:/etc/mailhelo}}}}
{0}
{${lookup
{${lc:${perl{get_message_sender_domain}}}}
lsearch{/etc/mailhelo}
{$value}
{${lookup
{${if match_domain
{$original_domain}
{+relay_domains}
{${lc:$original_domain}}
{}
}}
lsearch{/etc/mailhelo}
{$value}
{${lookup
{${perl{get_sender_from_uid}}}
lsearch*{/etc/mailhelo}
{$value}
{$primary_hostname}
}}
}}
}}
{$primary_hostname}
}
dkim_domain = ${perl{get_dkim_domain}}
dkim_selector = default
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
dkim_canon = relaxed
hosts_try_chunking = 198.51.100.1
message_linelength_limit = 2048
.ifdef ARCSIGNING
arc_sign = $primary_hostname:default:/var/cpanel/domain_keys/private/$primary_hostname:default
.endif
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/30/25 11:55, jerry.barnabee--- via Mailman-Users wrote:
mail.python.org runs Mailman 2.1.39+ for many lists in addition to running Mailman 3 for many other lists and all outgoing mail from both Mailman 2 and Mailman 3 lists is properly DKIM signed.
But the mailman version is irrelevant as the DKIM signing is done by Postfix.
In your case, the significant thing is cPanel's Mailman 2.1.39 because the issue is in Exim as configured by cPanel. You want to hear from someone running cPanel Mailman that does add dkim signatures to the mailman emails.
The above transports are for mail to Mailman, not mail from Mailman.
The transport below is the relevant one.
I think the above may be the the issue. Does ${perl{get_dkim_domain}} return a domain or list of domains including the mailman list domain?
Your list domain is apparently template.missourimasternaturalists.org. Is mail which is DKIM signed From: that domain or from some other domain, maybe missourimasternaturalists.org.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
all of the non-mailman emails get signed by template.missourimasternaturalists.org
how do I execute that command ?? ${perl{get_dkim_domain}} return a domain or list of domains including the mailman list domain?
JerryB
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/30/25 14:15, jerry.barnabee--- via Mailman-Users wrote:
all of the non-mailman emails get signed by template.missourimasternaturalists.org
Which also appears to be the sender domain for list mail. so I'm lost as to why list mail isn't signed.
This is a question for an Exim support resource. There is a mailing list at https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ that might be helpful.
how do I execute that command ?? ${perl{get_dkim_domain}}
You could try
perl get_dkim_domain
at a command prompt but that may only work in an Exim environment.
return a domain or list of domains including the mailman list domain?
However, since the mailman sender seems to be @template.missourimasternaturalists.org and other mail from that domain is signed, that's not the issue.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
I open a ticket with CPANEL and they figured out what was happening. Looks like Imunify 360 email was stripping the dkim signature off of the mailman messages. Who would have thunk it .... I turned the email process off and sent out a message and lo and behold it was dkim compliant.
Thanks for helping me get to the bottom of this. JerryB
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/25/25 10:07, jerry.barnabee--- via Mailman-Users wrote:
Is there any work around that can add a valid DKIM signature to outgoing mailman 2.x emails.
You need to configure your outgoing MTA to DKIM sign the mail.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
The MTA is already set up to dkim sign messages - my php scripts that use the "mail" command to send out email messages get a DKIM signature, all the system generated emails get a DKIM signature. But mailman sent emails do not.
For some reason mailman is not sending the emails out thru the same process. I had read that it was because mailman does not use SMTP to send them and that is why they aren't signed ...
JerryB
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/25/25 11:32, jerry.barnabee--- via Mailman-Users wrote:
The MTA is already set up to dkim sign messages - my php scripts that use the "mail" command to send out email messages get a DKIM signature, all the system generated emails get a DKIM signature. But mailman sent emails do not.
For some reason mailman is not sending the emails out thru the same process. I had read that it was because mailman does not use SMTP to send them and that is why they aren't signed ...
Mailman does use SMTP to send the mail.
If you are using opendkim in your MTA to DKIM sign, you may need something like
SenderHeaders List-Post,Sender,From
in your opendkim.conf. I.e., you need to reference a header that always contains the list domain.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
CPANEL does all the heavy lifting for me - e.g. I don't have to add any code anywhere - the only thing that I have to do is make sure the correct spf, dkim and dmarc dns records exist on my name server for each of my domains- which they do. Pretty sure opendkim is not being used by CPANEL.
Is python.org using mailman 2.x or 3.x ?
The reason I ask is that the email the python.org list sent out was DKIM signed correctly. The email I got from msapiro.net did not pass DKIM nor DMARC which is not always fatal - since I did get your email, but more email servers are starting to pay more attention to those failures - and causing those of use that use mailman to distribute emails to be getting more and more frustrated with things not being signed and causing failures of one kind or another .... I check if I can see any DKIM settings in EXIM - but there is a reason I use a WHM/CPANEL on my VPS servers - unix administration is not my strong suit ... about all I can say is that I do know how to spell unix .....
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/25/25 12:30, jerry.barnabee--- via Mailman-Users wrote:
CPANEL does all the heavy lifting for me - e.g. I don't have to add any code anywhere - the only thing that I have to do is make sure the correct spf, dkim and dmarc dns records exist on my name server for each of my domains- which they do. Pretty sure opendkim is not being used by CPANEL.
Then this is a cPanel issue.
Is python.org using mailman 2.x or 3.x ?
The reason I ask is that the email the python.org list sent out was DKIM signed correctly.
python.org has both Mailman 2 and Mailman 3 lists. This list is Mailman 3, , but that's irrelevant as all the DKIM signing is done by the MTA using opendkim.
The email I got from msapiro.net did not pass DKIM nor DMARC which is not always fatal - since I did get your email, but more email servers are starting to pay more attention to those failures - and causing those of use that use mailman to distribute emails to be getting more and more frustrated with things not being signed and causing failures of one kind or another .... I check if I can see any DKIM settings in EXIM - but there is a reason I use a WHM/CPANEL on my VPS servers - unix administration is not my strong suit ... about all I can say is that I do know how to spell unix .....
My post that you receive from the list should contain two DKIM signatures. One sig from the msapiro.net domain will be broken because of list transformations such as subject prefixing and addition of the list footer[1], but there will be another sig from the python.org domain which should be valid and the mail should pass DKIM. It won't pass DMARC because of From: domain misalignment, but msapiro.net publishes DMARC policy = none so it shouldn't matter.
[1]The broken DKIM sig should be ignored, From https://www.rfc-editor.org/rfc/rfc6376.html#section-6.1
INFORMATIVE NOTE: The rationale of this requirement is to permit
messages that have invalid signatures but also a valid signature
to work. For example, a mailing list exploder might opt to leave
the original submitter signature in place even though the exploder
knows that it is modifying the message in some way that will break
that signature, and the exploder inserts its own signature. In
this case, the message should succeed even in the presence of the
known-broken signature.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/395215a635f89ee4fd6d9dfe8453afae.jpg?s=120&d=mm&r=g)
jerry.barnabee--- via Mailman-Users writes:
I assume that cPanel uses *something*, and that it's reasonably sane by default. The combination of Mailman and cPanel is common enough that I expect we would be inundated with complaints about DKIM if it wasn't. Unfortunately, cPanel doesn't seem to provide publicly available documentation, so I can't say more than that.
I check if I can see any DKIM settings in EXIM
Exim4 (unlike Postfix and Sendmail) does implement DKIM itself. It uses different criteria (probably settings in individual router or transport stanzas?) to determine how to sign a message. As far as I can see, there's nothing like the SenderHeaders parameter Mark mentioned. The documentation for current Exim4 and DKIM is in https://exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_srs_and_dm... It looks pretty straightforward (but I haven't configured an Exim4 system in a decade).
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
Stephen,
Thanks for your reply. I am replying directly to your email as I didn't see your reply in the threads of my original post.
My guess is that you are not getting complaints because it is just recently that the big name email servers (gmail, yahoo, icloud, microsoft) have just recently started enforcing the DKIM standard and what makes it worse is that they all seem to be taking different approaches to that enforcement. Could also be that most of the mailman users are using mailman 3.xx - but unfortunately CPANEL does not support that version - they recently let me know that they are going to continue to support mailman 2.xx even though it is no longer being maintained by python so hopefully we can get them involved in finding a solution.
In my environment (WHM/CPANEL) mailman version 2.1.39 is not DKIM signing the mailman emails. All other emails that my domains send out are being DKIM signed - so it looks like EXIM is doing it's job on all outgoing mail except that being sent by mailman ...
I have added you to a mailing list on my test server and will send a message out. You will see that it does not have a DKIM signature from the domain that is sending the emails out - that is if you get the email at all - I can see if your email server rejects the email - but if it does I can not see if it actually makes it to your inbox .
I will send you a separate email letting you know that I sent a message thru the mailing list - so if it does not make it to your inbox you can check your spam/junk folder.
My VPS is OS Alma Lunix 9.x on which I installed WHM/CPANEL (124.0.23), CloudLinux 9.5 and Imunify 360.
So i just sent out a message via a mailman list (members@template.missoucimasternaturalists.org <mailto:members@template.missoucimasternaturalists.org>) - lets see if you get it.
My server tells me it made it to your email server and was accepted.
JerryB
![](https://secure.gravatar.com/avatar/395215a635f89ee4fd6d9dfe8453afae.jpg?s=120&d=mm&r=g)
Jerry Barnabee via Mailman-Users writes:
Thanks for your reply. I am replying directly to your email as I didn't see your reply in the threads of my original post.
It's there in the archive. I recently retired and they cut off my email for several months (despite being reemployed part-time), so U may have been unsubscribed. For that reason it may have been held for approval by the moderators.
DMARC is ten years old: there was a huge kerfluffle in April 2014 when DMARC p=reject was rolled out by Yahoo! and AOL early the development of the standard. DKIM itself is several years older, depending on how you count earlier DomainKeys standards.
I am pretty sure that if there were a widespread problem we *would* hear about it frequently because we do get a lot of traffic about problems that Mailman can do nothing about, but only show up with Mailman because related software is not working correctly or remote sites have a list-unfriendly policy.
and what makes it worse is that they all seem to be taking different approaches to that enforcement.
This is true. Google is especially pernicious, as they advertise p=none but then turn around and enforce it on their own users.
Could also be that most of the mailman users are using mailman 3.xx
Irrelevant. Neither Mailman 2 nor Mailman 3 supports DKIM signing. Sufficiently recent versions of both support "via $LIST" rewriting of the From header, which should get you past DMARC. But you need to do the outgoing DKIM signatures yourself. As Mark said, the best way to do DKIM signature is via the MTA.
In my environment (WHM/CPANEL) mailman version 2.1.39 is not DKIM signing the mailman emails.
No version of Mailman we distribute does DKIM signing. That's an MTA function.
Then that's an Exim configuration problem. You have an MTA that does DKIM signing, you just need to persuade it to sign Mailman traffic.
Yes I saw that post, and confirmed it has no DKIM signature. I did not expect one, since you reported that as a problem. I haven't seen the separate email you said you would send, though.
My VPS is OS Alma Lunix 9.x on which I installed WHM/CPANEL (124.0.23), CloudLinux 9.5 and Imunify 360.
None of this is likely to be relevant to the issue. What I would really like to see is your Exim configuration (the whole thing). If you worry about exposing it to the public, you can send it to me by direct mail. If there are sensitive parts, you can redact them but it would be a good idea to explain what was in the redacted parts.
Steve
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
When I look at "email sent summary" (see below) it shows that the other email made it to and was accepted by your email server ... so since it is not in your inbox it should be in your spam/junk folder ... the message got set via the mailing list: members@template.missourimasternaturalists.org
I sent you the exim configs in a separate email as you suggested.
JerryB
Event: success success Sender User: -remote- Sender Domain: From Address: members-bounces@template.missourimasternaturalists.org Sender: Sent Time: Jan 28, 2025, 10:38:10 AM Sender Host: Sender IP: Authentication: localdelivery Spam Score: Recipient: turnbull@sk.tsukuba.ac.jp Delivered To: turnbull@sk.tsukuba.ac.jp Delivery User: -remote- Delivery Domain: Router: dkim_lookuphost Transport: dkim_remote_smtp Out Time: Jan 28, 2025, 10:38:10 AM ID: 1tcobl-00000003JyD-2Leu Delivery Host: smtpgwin.cc.tsukuba.ac.jp Delivery IP: 207.54.83.63 Size: 79.83 KB Result: Accepted
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/28/25 11:55, jerry.barnabee--- via Mailman-Users wrote:
So this is mail from a list.
...
Router: dkim_lookuphost Transport: dkim_remote_smtp
And this transport seems by its name to be one that should be doing DKIM signing so something in the configuration of that transport is skipping the DKIM signing for Mailman list mail or perhaps the mail which is signed uses a different transport in which case, the issue may be in the router. Does the dkim_domain setting in the transport include the list domain?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
Here is the code that Is in the exim.conf - but looks like greek to me :) I do know that all of the domains are listed and have correct dkim entries in the dns. Do you know of anyone that actually has a mailman 2.1.39 installation that does add dkim signatures to the mailman emails ? Thanks, JerryB
mailman_virtual_transport:
driver = pipe
command = /usr/local/cpanel/3rdparty/mailman/mail/mailman
'${if def:local_part_suffix
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}}
{post}}'
${perl{untaint}{${lc:$local_part}_${lc:$domain}}}
current_directory = /usr/local/cpanel/3rdparty/mailman
home_directory = /usr/local/cpanel/3rdparty/mailman
user = mailman
group = mailman
mailman_virtual_transport_nodns:
driver = pipe
command = /usr/local/cpanel/3rdparty/mailman/mail/mailman
'${if def:local_part_suffix
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}}
{post}}'
${perl{untaint}{${lc:$local_part}}}
current_directory = /usr/local/cpanel/3rdparty/mailman
home_directory = /usr/local/cpanel/3rdparty/mailman
user = mailman
group = mailman
=========
dkim_remote_smtp:
driver = smtp
interface = <; ${if >
{${extract
{size}
{${stat:/etc/mailips}}
}}
{0}
{${lookup
{${lc:${perl{get_message_sender_domain}}}}
lsearch{/etc/mailips}
{$value}
{${lookup
{${if match_domain
{$original_domain}
{+relay_domains}
{${lc:$original_domain}}
{}
}}
lsearch{/etc/mailips}
{$value}
{${lookup
{${perl{get_sender_from_uid}}}
lsearch*{/etc/mailips}
{$value}
{}
}}
}}
}}
}
helo_data = ${if >
{${extract{size}{${stat:/etc/mailhelo}}}}
{0}
{${lookup
{${lc:${perl{get_message_sender_domain}}}}
lsearch{/etc/mailhelo}
{$value}
{${lookup
{${if match_domain
{$original_domain}
{+relay_domains}
{${lc:$original_domain}}
{}
}}
lsearch{/etc/mailhelo}
{$value}
{${lookup
{${perl{get_sender_from_uid}}}
lsearch*{/etc/mailhelo}
{$value}
{$primary_hostname}
}}
}}
}}
{$primary_hostname}
}
dkim_domain = ${perl{get_dkim_domain}}
dkim_selector = default
dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}"
dkim_canon = relaxed
hosts_try_chunking = 198.51.100.1
message_linelength_limit = 2048
.ifdef ARCSIGNING
arc_sign = $primary_hostname:default:/var/cpanel/domain_keys/private/$primary_hostname:default
.endif
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/30/25 11:55, jerry.barnabee--- via Mailman-Users wrote:
mail.python.org runs Mailman 2.1.39+ for many lists in addition to running Mailman 3 for many other lists and all outgoing mail from both Mailman 2 and Mailman 3 lists is properly DKIM signed.
But the mailman version is irrelevant as the DKIM signing is done by Postfix.
In your case, the significant thing is cPanel's Mailman 2.1.39 because the issue is in Exim as configured by cPanel. You want to hear from someone running cPanel Mailman that does add dkim signatures to the mailman emails.
The above transports are for mail to Mailman, not mail from Mailman.
The transport below is the relevant one.
I think the above may be the the issue. Does ${perl{get_dkim_domain}} return a domain or list of domains including the mailman list domain?
Your list domain is apparently template.missourimasternaturalists.org. Is mail which is DKIM signed From: that domain or from some other domain, maybe missourimasternaturalists.org.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
all of the non-mailman emails get signed by template.missourimasternaturalists.org
how do I execute that command ?? ${perl{get_dkim_domain}} return a domain or list of domains including the mailman list domain?
JerryB
![](https://secure.gravatar.com/avatar/56f108518d7ee2544412cc80978e3182.jpg?s=120&d=mm&r=g)
On 1/30/25 14:15, jerry.barnabee--- via Mailman-Users wrote:
all of the non-mailman emails get signed by template.missourimasternaturalists.org
Which also appears to be the sender domain for list mail. so I'm lost as to why list mail isn't signed.
This is a question for an Exim support resource. There is a mailing list at https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ that might be helpful.
how do I execute that command ?? ${perl{get_dkim_domain}}
You could try
perl get_dkim_domain
at a command prompt but that may only work in an Exim environment.
return a domain or list of domains including the mailman list domain?
However, since the mailman sender seems to be @template.missourimasternaturalists.org and other mail from that domain is signed, that's not the issue.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
![](https://secure.gravatar.com/avatar/85a99b25cf78c0293215f307acd00fb9.jpg?s=120&d=mm&r=g)
I open a ticket with CPANEL and they figured out what was happening. Looks like Imunify 360 email was stripping the dkim signature off of the mailman messages. Who would have thunk it .... I turned the email process off and sent out a message and lo and behold it was dkim compliant.
Thanks for helping me get to the bottom of this. JerryB
participants (4)
-
Jerry Barnabee
-
jerry.barnabee@gmail.com
-
Mark Sapiro
-
Stephen J. Turnbull