12.5 Using DKIM with LISTSERV
By default (DKIM_SIGN_ALL=0), LISTSERV does not sign any messages using DKIM other than those for which DKIM signing is expicitly requested by the caller, for instance, DISTRIBUTE jobs with an explicit “DKIM=YES” parameter in the JOB card. List mail and non-list administrative messages will not be signed when DKIM_SIGN_ALL is left at the default value.
However, because of its relationship to the DMARC protocol, you will probably want to have LISTSERV sign every message that it generates, regardless of its source. Setting DKIM_SIGN_ALL=1 in the site configuration file tells LISTSERV to try to sign every message for which it has a suitable private key, as defined in the DKIM_SIGN configuration parameter (see above).
(If setting DKIM_SIGN_ALL in the go.user file under Unix, please also ensure that the variable is exported.)
Once you have enabled DKIM signing with DKIM_SIGN_ALL=1, the behavior is as follows:
With mailing lists:
- Incoming DomainKeys signatures submitted to a mailing list will be suppressed unless “Misc-Options= KEEP_DKIM_SIGNATURE” is set in the list configuration.
In general, you will not need (or want) to use the KEEP_DKIM_SIGNATURE option. As DKIM is specified today, signatures DO NOT survive posting to mailing lists (LISTSERV or otherwise), so LISTSERV removes them by default to avoid triggering alerts for subscribers whose mail hosts have implemented the stricter forms of DKIM. Therefore, if used at all, the KEEP_DKIM_SIGNATURE option should be used judiciously and with caution.
- When DKIM signing is enabled at the server level (DKIM_SIGN_ALL=1), the default is that all list mail (including administrative mail) will be signed. It is possible to override the default and disable DKIM signing for individual lists (typically for debugging purposes) by using the “Misc-Options= NO_DKIM_SIGNATURE” setting in the list configuration. It is not recommended to run with this option set during normal operation.
In DISTRIBUTE and DISTRIBUTE MAIL-MERGE jobs:
A DKIM=NO|YES option is available for the DISTRIBUTE command (default: NO). This will fail if running a LISTSERV version without DKIM support, but otherwise it always succeeds. Messages originating from domains for which LISTSERV has been configured to sign will be signed, while those originating from other domains won’t be.
In other types of messages:
When DKIM signing is enabled as described above, LISTSERV will to try to sign every message for which it has a suitable private key, as defined in the DKIM_SIGN configuration parameter.