Alternative DMARC mitigation: Keep Headers

This is just a suggestion:

The current Mailman code offers two alternative DMARC mitigation values: "Munge From" and "Wrap Message".

I would suggest a 3rd and even simpler mitigation:

"Keep Headers"

This setting would have the following effects within Mailman:

* Preserve the Subject header intact, as well as all other headers listed in the DKIM-Signature header of the actual post.

* Do not remove the DKIM-Signature header, even if the Mailman option to do so is set.

* Do not add a DKIM-Signature for the mailing list, even if otherwise configured to do so.

* If there is no DKIM-Signature in the post, none of the above applies.

* When gatewaying from NNTP to SMTP and there is no DKIM-Signature header in the post, use the "Munge From" procedure because most NNTP servers and newsreaders do not add the required DKIM signatures anyway.

The expected effect on message delivery would be:

+ The posting passes DKIM validation for the signature placed there by the posters domain

+ DMARC checking recipients will therefore (according to the DMARC spec) accept the message as validly sent by the original poster and let it pass.

+ Because the number of DKIM-Signature headers is not increased from 1 to 2, there is no issue with the common case where buggy DMARC checkers use only the first or last DKIM-Signature header, even though the RFC says to check all DKIM signatures that match the From header domain and accept if at least one is good.

+ Spoofed posts via SMTP with an invalid DKIM-Signature header will be correctly rejected as spoofs by anyone checking the DKIM signatures according to DMARC or ADSP.

+ Spoofed posts via SMTP with no DKIM-Signature header will be correctly rejected as spoofs by anyone checking the DKIM signatures according to DMARC or ADSP.

Note: Older Mailman versions happen to already do this for replies (but not original posts) by accident because they lack the code to rearrange the "Re: " in the Subject header.