[Rspamd-Users] false positives with DKIM/DMARC and mailing lists (sympa)
Vsevolod Stakhov
vsevolod at rspamd.com
Wed Nov 5 11:21:39 UTC 2025
On 05/11/2025 11:13, Kapetanakis Giannis wrote:
> Hi,
>
> We're having some trouble with some valid mails coming from mailing list when the original sender has dkim signatures and dmarc policy.
>
> rspamd applies a big score and I know it's ok and that something is missing on the mailing list server side.
> Since I also run sympa I want to find what is the best way to handle this, in order to apply both to my site and inform the remote
> mailing list admin.
>
> - Munge the From address?
> - Strip original DKIM headers (this will probably fail dmarc)?
> - Make the mail list server apply a new DKIM header?
> - Make the mail list apply ARC?
> - All/some of the above?
>
> I'm whitelisting mails detected as MAILLIST and have a specific MIME_TO or MIME_FROM header,
> but this is done after they are blocked once (and spotted by me or reported). So this is not a permanent solution.
>
> Here is a test mail that got blocked by rspamd. I've altered the domain names, hoping I didn't make any mistake there
>
> sender at original.sender.com sends mail to list at mailglist.com
> His email is also handled by gmail, so we have
> X-Google-DKIM-Signature
> DKIM-Signature for d=original.sender.com
>
> Mailing list does not apply DKIM for @mailglist.com
>
> Mail comes to my domain.
>
> Mail From: list-owner at mailglist.com
> Mime From: sender at original.sender.com
> Mime To: list at mailglist.com
> Rcpt To: my_user at example.com
>
> Does rspamd also check mail from (instead of mime from) for DKIM?
> Is there a preference there?
>
> The relevant headers are bellow. If someone can have a look and post an advice I would appreciate it.
You are correct that the optimal handling for mailing list emails,
especially when the original sender uses DKIM signatures and has a DMARC
policy, is to rely on DMARC munging (also called address rewriting or
"friendly from"). Rspamd has built-in support for DMARC munging to
modify the From header to align with the mailing list’s domain, thus
allowing DMARC checks to pass without stripping original DKIM signatures
unnecessarily.
### Regarding your points:
- **Munge the From address?**
This is the recommended approach. Rspamd’s [DMARC munging
feature](https://rspamd.com/doc/modules/dmarc.html#munging) can rewrite
the From address so that DMARC alignment is preserved with the mailing
list domain. It helps avoid DMARC failures caused by header From
mismatches. This approach preserves original DKIM headers and respects
the DMARC policy.
- **Strip original DKIM headers?**
Stripping original DKIM headers should generally be avoided because
it breaks DKIM verification and typically causes DMARC failures if the
original domain requires alignment. It can be considered only if the
mailing list server applies its own DKIM signatures and replaces the
original ones properly.
- **Make the mailing list server apply a new DKIM header?**
This is highly recommended if possible. If the mailing list signs
outgoing messages with DKIM on its own domain, the recipient can verify
the legitimacy of the mailing list itself rather than the original
sender. Sympa supports DKIM signing here; see their [DKIM configuration
docs](https://www.sympa.org/manual/admin/usage-smtp.html#dkim).
- **Make the mailing list apply ARC (Authenticated Received Chain)?**
Applying ARC is ideal as it allows downstream systems (like Rspamd)
to verify that the message was authenticated at an earlier stage, even
if it was modified by the mailing list. ARC helps preserve the
reputation of the original sender and can prevent spoofing flags. Rspamd
supports ARC validation and scoring as documented here:
https://rspamd.com/doc/modules/arc.html
### Additional notes on Rspamd checks:
- Rspamd DKIM verification checks the `d=` domain tag in DKIM signatures
only, without preference between MIME From or envelope From, but DMARC
requires alignment: the DKIM `d=` domain must match the domain in the
header From (MIME From) for DKIM to count toward passing DMARC.
Similarly, SPF must align with the SMTP envelope sender domain.
- Unfortunately, DMARC alignment rules are strict and non-negotiable.
For mailing lists, munging or ARC are your best options.
### For your whitelisting approach:
- Whitelisting MAILLIST-tagged emails based on MIME_TO or MIME_FROM
headers is a practical short-term workaround but does not solve the root
cause and should be combined with improvements on the mailing list
server side.
More information about the Users
mailing list