With a DMARC policy of p=reject, it is currently hard to impossible to participate in the Gentoo mailing lists. It seems that mlmmj rewrites or adds headers, invalidating the DKIM signature. Then, with a strict DMARC policy, compliant mail servers reject the forwarded mail.

From a cursory look I think the problem is the Reply-To header, which is added on forwarding. Reply-To is listed in Section 5.4.1 "Recommended Signature Content" of RFC 6376 [1] and is usually included in the list of headers to sign.

Whilst Google Mail, for example, signs this header, it does not specify a reject policy, having compliant mail servers ignore DKIM failure and deliver the mail.

I'd rather not relax my DMARC policy - especially since I can't do so on a per-recipient basis. Is there any hope to determine the issue and fix the mlmmj setup such that hosts with p=reject can participate again?

For reference, a mail that I sent today that went seemingly ignored (even though the archives picked it up) is at [2]. Right after sending the mail I got around 10 failure reports (through ruf=) from various servers, notifying me about the failure. I've not seen any DKIM failures with my setup before, so I'm pretty sure it's not on my side.

[1] https://datatracker.ietf.org/doc/html/rfc6376#autoid-53
[2] https://public-inbox.gentoo.org/gentoo-user/vidx57mvvadafgi233xusfug3papjiussz6puxc5vy562g4rl3@g3wdlrmiybez/T/#m30c69615cb5d76df78b89253a6e5da91aa304b29

Reproducible: Always

Steps to Reproduce:
1. Send mail to a Gentoo mailing list
Actual Results:  
Some subscribers reject the mail because of a DKIM failure.

Expected Results:  
The mail content is not touched, DKIM verification succeeds, and all subscribers receive the message.