I think deployment of DKIM require a good support of DKIM by some of the
major mailing list software. I am one of the author of Sympa mailing
list software and I feel concerned by this. What a mailing list manager
must do with DKIM ?
This is a rather contentious point.
One model which we might call the "thin" model considers mailing lists
to be essentially mail forwarders, so the identity of the mail is that
of the original sender. This encourages list software to minimize the
changes they make to mail on the way through to avoid breaking the
signature, and perhaps to add its own signature on the way through.
IIM had a few hacks intended to help this, a length to tell the
recipient that the signature doesn't cover all of the message, and
duplicated headers so that it can log what, e.g., the Subject line
said before the list added a [listname] tag. I've never seen a
persuasive description of what recipients are supposed to do with
mismatched subject lines and chunks of unsigned trailing material but
I expect people who think it's a good idea can explain it. Another
way to be sure the signature stays intact would be to encapsulate
every incoming signed message like a one-message MIME digest, but list
reading users would probably not enjoy that.
The other "thick" model considers the mailing list to be the
originator of the message. In this model, the list software would
strip off the signature from the incoming message, do whatever it does
to the message, and re-sign it on the way out. This better matches
modern list software that does things like reordering and deleting
MIME parts and flattening HTML to plain text. There are a variety of
plausible things it might do with the inbound signature, ranging from
discarding it (on the theory that it's the list's reputation that
matters for list mail, not the reputation of the contributors) to
using a proposed header to log the fact that the inbound message had a
good signature, and signing that.
Depending on your view of what a list is and the way your list
software works, you could try and implement either of these. One
thing I can definitely promise is that people will have religious
beliefs as deep and irrational as the ones they have about Reply-To:
headers, so no matter what you do, you can be sure that someone will
tell you that you are an idiot for not doing it his way.
ietf-dkim mailing list