[Mailman-Users] Giving away the secrets of 99.3% email delivery

Joe Sniderman joseph.sniderman at thoroquel.org
Sun May 13 15:45:37 CEST 2012

On 05/13/2012 01:39 AM, David wrote:


> If you think of anything, please let me know. I have been reading all
> the DKIM related posts I can find, both on this list and other
> places.
> For a mailing list, would I have to expand my SigningTable in any
> way? 

No, as long as the list's domain is in your SigningTable.

> My opendkim SigningTable currently only has an entry for 
> *@list.example.com(which is associated with list._ 
> domainkey.example.com).
> But /var/log/mail.log shows a lot of entries like this:
> no signing table match for [some member of the list]

OpenDKIM is seeing the subscriber's domain as the sender domain, and is
basing its decision not to sign on the fact that the poster's domain is
not in the signing table.

If you want to sign outgoing messages, you probably want to sign based
on the list's domain, rather than the poster's domain.

By default, OpenDKIM only looks at the "From" message header to
determine the sender.

from opendkim.conf(5):

>| SenderHeaders (dataset) Specifies an ordered list of header fields
>| that should be searched to determine the sender of a message.  This
>| is mainly used when verifying a message to determine the origin
>| domain, particularly for doing domain policy queries.  By default,
>| the  DKIM library's internal list is used, which consists solely of
>| the "From" header field.

Assuming that your mailman instance adds a "Sender" header that matches
the list-name (or a verpified version thereof) to outgoing messages,
adding something like:

SenderHeaders           Sender,From

to your opendkim.conf *should* resolve the problem.
FWIW, making that config change resolved the issue in my case. YMMV.

Joe Sniderman <joseph.sniderman at thoroquel.org>

More information about the Mailman-Users mailing list