[adding balug-admin]
Quoting Glen Martin (glen@glen-martin.com):
I expect the alterations are the insertion of a list footer in the message text. I expect similar insertion in the Subject header to be problematic as well, though this DMARC didn't complain of that.
My understanding is that the sending domain's DKIM policy (portion of DMARC) declares which headers and text portions are attested by cryptographic signing. Failing the DKIM aspect of DMARC means the forwarder host (in this case the MLM host) has altered or inserted into one of the signed areas of the message, and not stripped the DKIM headers. (Some listadmins strip such headers as a way of avoiding the perception of DMARC failure upon retransmission. I'm not sure this is wise. Seems like there might be adverse consequences.)
Here's a header from one of my own messages to the list, having come back to me through the list and evaluated using my own inbound testers (opendmarc and opendkim). The two "Authentication-results:" headers are the problem. For help understanding the headers, I'll point out that my primary domain on this MX is locutory.org, hence that name in the headers.
Downthread in that offlist conversation with Michael, I notice you said:
However, glen-martin.com publishes authorized sending hosts (in SPF), and temp.balug.org (or any other balug.org) isn't on that list. Strike 1.
To the best of my understanding, MLM retransmission of messages to subscribers is _not_ going to violate any sender's SPF policy, because the retransmitted message to each subscriber bears a new, different envelope citing the MLM's domain. Hence, on that retransmission, the relevant SPF record that would be consulted upon arrival at the subscriber's MTA is not the poster's domain but rather the MLM's (balug.org's).
The example test mail to balug-talk whose full headers you sent to Michael had, as received by you as subscriber:
Received-SPF: pass (glen-martin.com: 50.196.148.122 is authorized to use 'glen@glen-martin.com' in 'mfrom' identity (mechanism 'ip4:50.196.148.122' matched) (glen-martin.com: 50.196.148.122 is authorized to use 'glen@glen-martin.com' in 'mfrom' identity (mechanism 'ip4:50.196.148.122' matched)))
If I'm reading that right, temp.balug.org's (IP 198.144.194.238's) MTA software inserted that when it received your original posting, and temp.balug.org considered all to be well at that point, as 50.196.148.122 was one of the declared authorised senders in your domain's SPF RR.
temp.balug.org then turned around and retransmitted a fresh copy to each balug-talk subscriber including, of course, you. It bore a totally new SMTP envelope, for which the envelope sender was:
Return-Path: balug-talk-bounces@temp.balug.org
So, your receiving MTA, getting the subscriber copy, would have sought to vet transmitting MTA IP 198.144.194.238 (temp.balug.org) against the SPF RR not of _your_ domain (for that copy), but rather of domain balug.org.
People get really confused about SPF and mailing list, I notice, forgetting that the MLM's forward is a separate message with a different SMTP envelope (from a different domain).
Let's look at the balug.org SPF RR:
:r! dig -t txt balug.org +short [null return value]
Well, Michael, time to put an SPF RR in the balug.org DNS. This one works for my domain:
:r! dig -t txt linuxmafia.com +short "v=spf1 a mx -all"
Any questions, please just ask. It says 'use version 1 of SPF protocol, consider the received mail legitimate if it arrives from an IP corresponding with the linuxmafia.com A or MX RR, and please hardfail as a forgery any message purporting to come from linuxmafia.com arriving from any _other_ IP.'
Authentication-Results: mail2.locutory.org (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=glen-martin.com
Well, could you please compare the message body as you sent it with the message body as you received it in the retransmitted subscriber copy, and tell us what you signed that got changed?
What I'm saying is that it's unclear on this end what is the scope of your domain's DKIM cryptographic scrutiny. OK, the 'body has been altered', but what specifically does that mean? Is your domain's DKIM policy so twitchy that Mailman merely adding a Mailman footer breaks it? Does Mailman adding List-Id, List-Subscribe, List-Help, and List-Unsubscribe headers break it? You define and control that DKIM policy for your domain, so perhaps you can tell us.
Balug is also inserting headers/footers into Subject and Body, so the DKIM checksum fails (message is modified). Strike 2.
You cannot expect Mailman mailing lists to _not_ add additional SMTP headers, add a footer, and insert a Subject header tag (like '[BALUG-Talk]'), so it seems to me your DKIM policy ought _not_ to be set to fail if such things are changed by standards-compliant forwarders such as MLMs. Those are things that mailing lists _must_ do in some cases, and traditionally do for excellent reasons (like adding a footer) in others.
If you expect mailing lists to not do normal mailing list things, then I submit that IMO your domain's DKIM policy is broken and urgently needs revision.