On 5/25/25 10:16 AM, Bjørn Mork via NANOG wrote:
If the domain in the "From:" header matches the domain where the public key is stored, the recipient knows that the email was DKIM signed by a mail server trusted by the sending domain (since it must have the private key). It can, therefore, assume that the email really is from the "From:" address, and has not been modified along the way. Yes, so this also works through a forwarding mail server, provided it only changes the envelope. Older mailing list software broke because it messed around with the message content, but that was completely unnecessary. And good to get rid of. Injecting some additional mailing list headers is still fine, and will not break DKIM.
It should be noted that NANOG's mailing list before the change over didn't cause DKIM-breaking signature behavior, but now it does (like most mailing lists).
The big problem with DMARC is that it ties SPF to the From header field, so changing the envelope sender will not work anymore. This forces the forwarder to mess with the From field to align it with a SPF valid envelope. Which again will break any existing DKIM signature. Which of course can be worked around by adding another DKIM signature.
DMARC is broken by design. SPF and DKIM worked fine alone.
Has anybody even enumerated why "alignment" is even a supposedly good idea? Or why unification of SPF and DKIM policy was needed at a protocol level? I mentioned that a BCP might be useful, but that doesn't require protocol level standardization. I was sort of ambivalent about "alignment" when I first heard about it, but maybe that's really the heart of why it went off the rails where both SPF's policy and DKIM's ADSP were actually sufficient before. Mike