On 11/4/19 7:42 AM, Andy Cravens wrote:

Using mailman 2.1.26. I’m auditing the lists on my server for DMARC compliance I’ve found several list configs that do not have the DMARC action set to “munge_from.” It appears I need to edit all those list and fix that setting. I’ve also noticed that in mm_cfg.py there is no setting for REMOVE_DMIM_HEADERS. I just wanted to verify the proper order for fixing these issues. Seems like I need to correct the munge_from setting for all the affected lists and them as quickly as possible add REMOVE_DKIM_HEADERS = 1 to mm_cfg.py and restart. It appears that which ever task I complete first some messages will be undeliverable until both changes are complete. Maybe it would be best to stop mailman, complete both changes and then restart? Just looking for the best way to do this.

REMOVE_DMIM_HEADERS has nothing do do with and should not affect DMARC. While it is true that DMARC action set to “munge_from will break DKIM, DKIM is already broken by other list modifications to the message or you wouldn't be having DMARC issues.

Best practice is to Munge the From: if necessary based on the DMARK policy of the original From: domain and to DKIM sign the outgoing message with a sig from your domain which is also the munged From: domain.

If you want Mailman to remove the older DKIM sigs, you can configure that, but it should have no effect one way or the other. See <https://tools.ietf.org/html/rfc6376#section-6.1>.

-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan