[Rspamd-Users] false positives with DKIM/DMARC and mailing lists (sympa)

Kapetanakis Giannis bilias at edu.physics.uoc.gr
Wed Nov 5 11:59:41 UTC 2025 

On 05/11/2025 13:21, Vsevolod Stakhov wrote:
> On 05/11/2025 11:13, Kapetanakis Giannis wrote:
>> Hi,
>>
>> We're having some trouble with some valid mails coming from mailing list when the original sender has dkim signatures and dmarc policy.
>>
>> rspamd applies a big score and I know it's ok and that something is missing on the mailing list server side.
>> Since I also run sympa I want to find what is the best way to handle this, in order to apply both to my site and inform the remote
>> mailing list admin.
>>
>> - Munge the From address?
>> - Strip original DKIM headers (this will probably fail dmarc)?
>> - Make the mail list server apply a new DKIM header?
>> - Make the mail list apply ARC?
>> - All/some of the above?
>>
>> I'm whitelisting mails detected as MAILLIST and have a specific MIME_TO or MIME_FROM header,
>> but this is done after they are blocked once (and spotted by me or reported). So this is not a permanent solution.
>>
>> Here is a test mail that got blocked by rspamd. I've altered the domain names, hoping I didn't make any mistake there
>>
>> sender at original.sender.com sends mail to list at mailglist.com
>> His email is also handled by gmail, so we have
>> X-Google-DKIM-Signature
>> DKIM-Signature for d=original.sender.com
>>
>> Mailing list does not apply DKIM for @mailglist.com
>>
>> Mail comes to my domain.
>>
>> Mail From: list-owner at mailglist.com
>> Mime From: sender at original.sender.com
>> Mime To: list at mailglist.com
>> Rcpt To: my_user at example.com
>>
>> Does rspamd also check mail from (instead of mime from) for DKIM?
>> Is there a preference there?
>>
>> The relevant headers are bellow. If someone can have a look and post an advice I would appreciate it.
>
> You are correct that the optimal handling for mailing list emails, especially when the original sender uses DKIM signatures and has a DMARC policy, is to rely on DMARC munging (also called address rewriting or "friendly from"). Rspamd has built-in support for DMARC munging to modify the From header to align with the mailing list’s domain, thus allowing DMARC checks to pass without stripping original DKIM signatures unnecessarily.
>
> ### Regarding your points:
>
> - **Munge the From address?**
>   This is the recommended approach. Rspamd’s [DMARC munging feature](https://rspamd.com/doc/modules/dmarc.html#munging) can rewrite the From address so that DMARC alignment is preserved with the mailing list domain. It helps avoid DMARC failures caused by header From mismatches. This approach preserves original DKIM headers and respects the DMARC policy.
>
> - **Strip original DKIM headers?**
>   Stripping original DKIM headers should generally be avoided because it breaks DKIM verification and typically causes DMARC failures if the original domain requires alignment. It can be considered only if the mailing list server applies its own DKIM signatures and replaces the original ones properly.
>
> - **Make the mailing list server apply a new DKIM header?**
>   This is highly recommended if possible. If the mailing list signs outgoing messages with DKIM on its own domain, the recipient can verify the legitimacy of the mailing list itself rather than the original sender. Sympa supports DKIM signing here; see their [DKIM configuration docs](https://www.sympa.org/manual/admin/usage-smtp.html#dkim).
>
> - **Make the mailing list apply ARC (Authenticated Received Chain)?**
>   Applying ARC is ideal as it allows downstream systems (like Rspamd) to verify that the message was authenticated at an earlier stage, even if it was modified by the mailing list. ARC helps preserve the reputation of the original sender and can prevent spoofing flags. Rspamd supports ARC validation and scoring as documented here: https://rspamd.com/doc/modules/arc.html
>
> ### Additional notes on Rspamd checks:
>
> - Rspamd DKIM verification checks the `d=` domain tag in DKIM signatures only, without preference between MIME From or envelope From, but DMARC requires alignment: the DKIM `d=` domain must match the domain in the header From (MIME From) for DKIM to count toward passing DMARC. Similarly, SPF must align with the SMTP envelope sender domain.
>
> - Unfortunately, DMARC alignment rules are strict and non-negotiable. For mailing lists, munging or ARC are your best options.
>
> ### For your whitelisting approach:
>
> - Whitelisting MAILLIST-tagged emails based on MIME_TO or MIME_FROM headers is a practical short-term workaround but does not solve the root cause and should be combined with improvements on the mailing list server side. 


Thank you very much Vsevolod for the quick, extensive and most helpful reply.

I'm not running myself rspamd on (my) sympa side but I do DKIM sign messages with my domain key there.
Can't remember if I've enabled munging or stripping of original DKIM headers, probably not.

Reading sympa's documentation about DKIM/ARC it's a bit strange because it assumes that the (mail) server only runs sympa,
and only sympa signs the messages. I sign with opendkim on the postfix side so I have to figure out how to make this work ok for both (the ARC part)

I also need to find out where the From munging can be setup.
probably this: dmarc_protection.mode dmarc_reject

Thanks again,

Giannis

More information about the Users mailing list