Skip to Content.
Sympa Menu

en - [en@sympa] Sympa ARC seals fails to validate

Subject: The mailing list for listmasters using Sympa

List archive

[en@sympa] Sympa ARC seals fails to validate

Chronological Thread  
    < Chronological >       < Thread >
  • From: Robin Roevens <address@concealed>
  • To: "address@concealed" <address@concealed>
  • Subject: [en@sympa] Sympa ARC seals fails to validate
  • Date: Tue, 13 Feb 2024 16:16:14 +0000
Hi all

I'm trying to have ARC sealing work in Sympa but I don't seem to be
able to do so.

I have set up dkim with these settings in sympa.conf:
---
dkim_feature on
dkim_add_signature_to robot,list
dkim_signature_apply_on any
dkim_parameters.private_key_path /etc/sympa/dkim_private.pem
dkim_parameters.signer_domain <censored>
dkim_parameters.selector lists
---

which seems to work correctly as I see a DKIM signature and I see
Authentication-Result headers added by the receiving mailservers
indicating dkim=pass (test mode)

Then I also enabled ARC as initial topics started by certain
subscribers who have an email that had dmarc policy set to 'reject'
currently get bounced by O365:
---
arc_feature on
arc_srvid <censored, identical to dkim_parameters.signer_domain>
---
And I set up my MX (postfix) to add the Authorization-Results header
using rspamd.

Now I see ARC- headers being added by Sympa but still the mails bounce
on O365 adresses, even after adding the host as trusted ARC sealer in
O365.

I do note that on Gmail receivers I see "arc=fail (test pass)" in the
Authorization-Results header added by Google (but they still get
delivered.. for now.. ) and in the headers of the bounced messages that
was sent to O365 receivers I see "arc=fail (47)" added.

And for as far as I understand it, this indicates that the ARC-seal
added by Sympa does not validate.
For O365 explicit trust of ARC sealers is required, but that only works
if arc=pass (0 oda=0 ...) is added which would indicate that the ARC-
seal validated, but is not trusted (oda=0) and that would change in
arc=pass (0 oda=1 ...) when trusted. (and then no longer bounce)

But I have absolutely no idea why the ARC seals of Sympa won't
validate. For what I understand from the sympa docs, it should just
work when dkim is working and arc_feature is turned on.

What can I do to further debug this ? and/or are there any more
settings in sympa that could influence this ?

Thanks

Robin

Archive powered by MHonArc 2.6.19+.

Top of Page