Disable DKIM in exim for mailing lists

Question

I am subscribed to a number of mailing lists that don't remove my DKIM signature but mutate messages (change From) and add their own DKIM. Resulting messages have 2 DKIM signatures, one failing and one passing.

DMARC is perhaps the biggest problem for me. When I send a message via such a mailing list I started to receive dozens of DMARC reports stating that my message contains a failed DKIM signature.

How can I disable my DKIM signatures when sending messages to these mailing lists?

I have standard DKIM-related configuration for exim:

DKIM_CANON = relaxed
DKIM_SELECTOR = default
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/DKIM_DOMAIN/DKIM_SELECTOR.private.pem
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

As far as I understand I cannot check $recipients, right?

So I think I will configure my MUA (mutt) to change local part and check the local part. Something like

DKIM_PRIVATE_KEY = ${if and {!eq{$local_part}{phd+list}}{exists{DKIM_FILE}} {DKIM_FILE}{0}}

Is there a better way to do it?

Upd. I decided to go a slightly different way: add/check a custom header X-Skip-DKIM-Sig. So in my .muttrc I add the header for known mailing lists:

send-hook ~u "\
    unmy_hdr Reply-To; \
    my_hdr X-Skip-DKIM-Sig: mailing list"

and in exim I check it:

DKIM_PRIVATE_KEY = ${if and{{!def:h_x-skip-dkim-sig:}{exists{DKIM_FILE}}} {DKIM_FILE}{0}}

mc0e · Accepted Answer · 2017-10-07T19:12:23.427

3

There's no need. The falling DKIM signature does not impair delivery. It's only important whether or not a valid DKIM signature is present.

For the purposes of DMARC, it is important that the domain that the DKIM signature relates to is the same as in the From MIME Header. If the mail server modifies the subject or body, it also has to modify the From header in order to be able to send something that passes DMARC. This is problematic, and many if not most mail servers fail. Explaining this to users is an ongoing problem.

ARC attempts to fix this. It's relatively new though, so adoption is patchy.

edited Oct 07 '17 at 19:12

answered Oct 07 '17 at 17:47

mc0e

5,786
17
31

1

DMARC is perhaps the biggest problem for me. When I send a message via such a mailing list I started to receive dozens of DMARC reports stating that my message contains a failed DKIM signature. Ouch! I updated my question. – phd Oct 07 '17 at 18:55
1

You can't fix what the mailing list server does by changing what you send to it. Neither does the DMARC signature you are applying now hurt. Maybe you can learn enough to help the list admins to improve things, but it's not a simple problem they are facing. Probably you should just move into something where your time will be more productive. – mc0e Oct 07 '17 at 19:10
1

I'm not going to fix all those MLs. I just want to stop DKIM-signing my messages to them and stop receiving DMARC reports. Problem solved. – phd Oct 07 '17 at 20:24

Disable DKIM in exim for mailing lists

1 Answers1