From: "Peter Moylan" <ecs-isp@2rosenthals.com>
Received: from [192.168.100.201] (HELO mail.2rosenthals.com)
  by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10)
  with ESMTP id 12900553 for ecs-isp@2rosenthals.com; Wed, 23 Apr 2025 20:18:24 -0400
Received: from secmgr-va.2rosenthals.com ([50.73.8.217]:33050 helo=mail2.2rosenthals.com)
	by mail.2rosenthals.com with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.97.1)
	(envelope-from <peter@pmoylan.org>)
	id 1u7kII-000000007Gj-1iwl
	for ecs-isp@2rosenthals.com;
	Wed, 23 Apr 2025 20:18:24 -0400
Received: from pmoylan.org ([144.6.37.71]:60485 helo=mail.pmoylan.org)
	by mail2.2rosenthals.com with esmtp (Exim 4.97.1)
	(envelope-from <peter@pmoylan.org>)
	id 1u7kIE-000000004jA-1el3
	for ecs-isp@2rosenthals.com;
	Wed, 23 Apr 2025 20:18:20 -0400
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_ENDS_IN_URL 0.000000,
	BODY_SIZE_1700_1799 0.000000, BODY_SIZE_2000_LESS 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	CTE_7BIT 0.000000, DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000,
	HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000,
	KNOWN_MSGID 0.000000, LEGITIMATE_SIGNS 0.000000, MSG_THREAD 0.000000,
	NO_URI_HTTPS 0.000000, REFERENCES 0.000000, SENDER_NO_AUTH 0.000000,
	SINGLE_URI_IN_BODY 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000,
	USER_AGENT 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
	__BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000,
	__COURIER_PHRASE 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000,
	__CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DKIM_ALIGNS_1 0.000000,
	__DKIM_ALIGNS_2 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
	__DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FUR_HEADER 0.000000,
	__FW_1LN_BOT_MSGID 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000,
	__HAS_REFERENCES 0.000000, __HEADER_ORDER_FROM 0.000000,
	__IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000,
	__MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
	__MIME_VERSION 0.000000, __MOZILLA_MSGID 0.000000,
	__MOZILLA_USER_AGENT 0.000000, __NO_HTML_TAG_RAW 0.000000,
	__PHISH_SPEAR_SUBJ_SUBJECT 0.000000, __RCVD_FROM_DOMAIN 0.000000,
	__REFERENCES 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000,
	__SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000,
	__SCAN_D_NEG_HEUR2 0.000000, __SINGLE_URI_TEXT 0.000000,
	__SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000,
	__SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000,
	__TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000,
	__TO_REAL_NAMES 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000,
	__URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NS 0.000000,
	__URI_WITHOUT_PATH 0.000000, __USER_AGENT 0.000000
X-SASI-Probability: 9%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2025.4.23.232728
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_ENDS_IN_URL 0.000000,
	BODY_SIZE_1700_1799 0.000000, BODY_SIZE_2000_LESS 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	CTE_7BIT 0.000000, DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000,
	HTML_00_01 0.050000, HTML_00_10 0.050000, IN_REP_TO 0.000000,
	KNOWN_MSGID 0.000000, LEGITIMATE_SIGNS 0.000000, MSG_THREAD 0.000000,
	NO_URI_HTTPS 0.000000, REFERENCES 0.000000, SENDER_NO_AUTH 0.000000,
	SINGLE_URI_IN_BODY 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000,
	USER_AGENT 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
	__BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000,
	__COURIER_PHRASE 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000,
	__CTE 0.000000, __CT_TEXT_PLAIN 0.000000, __DKIM_ALIGNS_1 0.000000,
	__DKIM_ALIGNS_2 0.000000, __DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000,
	__DQ_NEG_IP 0.000000, __FORWARDED_MSG 0.000000, __FUR_HEADER 0.000000,
	__FW_1LN_BOT_MSGID 0.000000, __HAS_FROM 0.000000, __HAS_MSGID 0.000000,
	__HAS_REFERENCES 0.000000, __HEADER_ORDER_FROM 0.000000,
	__IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_BOUND_CHARSET 0.000000,
	__MIME_TEXT_ONLY 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
	__MIME_VERSION 0.000000, __MOZILLA_MSGID 0.000000,
	__MOZILLA_USER_AGENT 0.000000, __NO_HTML_TAG_RAW 0.000000,
	__PHISH_SPEAR_SUBJ_SUBJECT 0.000000, __RCVD_FROM_DOMAIN 0.000000,
	__REFERENCES 0.000000, __SANE_MSGID 0.000000, __SCAN_D_NEG 0.000000,
	__SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000,
	__SCAN_D_NEG_HEUR2 0.000000, __SINGLE_URI_TEXT 0.000000,
	__SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000,
	__SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000,
	__TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000,
	__TO_REAL_NAMES 0.000000, __URI_IN_BODY 0.000000, __URI_MAILTO 0.000000,
	__URI_NOT_IMG 0.000000, __URI_NO_PATH 0.000000, __URI_NS 0.000000,
	__URI_WITHOUT_PATH 0.000000, __USER_AGENT 0.000000
X-SASI-Probability: 9%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2025.4.23.234228
DKIM-Signature: v=1; q=dns/txt; a=rsa-sha256; c=relaxed/relaxed; s=default;
 d=pmoylan.org;
 bh=VqznTeSjeRtbLf3PABqdkwc2SMqgepQu2BwGkdeCZsw=;
 h=From:To:Date:Message-ID;
 b=VvhxxFQDLc9KKolHd0doJUZvtlyOL9gCjJdavr5fxpFT7SCpTEyaZz07pdTiuPFCjlcwz
 muU7W1leqwEv5/5ArtFLN9gmNE2J6N7C3gDr95AgAK/q68k1dB3wxjdWSufZvBYi7o0XKev
 CsZAr/ArtiiLvnAgO3Js9EmHmQuVVlA=
Received: from [192.168.20.3] (peter.pmoylan.org [192.168.20.3]) by 
 mail.pmoylan.org (Weasel v3.03) for <ecs-isp@2rosenthals.com>; 
 Thu, 24 Apr 2025 10:18:11 +1000
Subject: Re: [eCS-ISP] Trouble getting mail delivered to Office365
 (outlook.com), ProofPoint, and Barracuda protected domains
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>
References: <list-12871091@2rosenthals.com> <list-12871141@2rosenthals.com>
 <list-12871153@2rosenthals.com> <list-12871188@2rosenthals.com>
 <list-12900053@2rosenthals.com>
Message-ID: <68098342.3020906@pmoylan.org>
Date: Thu, 24 Apr 2025 10:18:10 +1000
User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101
 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <list-12900053@2rosenthals.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

On 24/04/25 03:19, Lewis G Rosenthal wrote:
>
> On a lark, I tightened the DKIM policy from none to reject, and added
> a 50% limiter (pct=50). To avoid duplicating the DKIM header, I have
>  turned off the smarthost configuration, and am only sending through
> the firewall local to the mail server.

I was going to suggest avoiding having two DKIM headers. Although the
DKIM standard does allow for this possibility, we don't know much about
how well DKIM checkers handle this case.

Running mailing lists is always a little risky, because some receiving
servers like to reject mailing list mail. Your other mail headers look
pretty safe to me, though, so I doubt that this is a problem in the
present case.

The big problem, I suspect, is that some big mail services might be
adopting a "silently reject" policy, simply discarding mail they don't
like instead of returning a failure reply. My choir uses a Yahoo mail
account (against my advice), and a problem we had was that messages to
all members went only to some members, and we were never notified about
the failures. I'm no longer on the choir organising committee, so I
don't know whether they are still doing it.

Your pct=50 change applies only to incoming mail, so shouldn't be
relevant. However, that reminded me of a problem with outgoing mail to
multiple recipients. The SMTP standard says that every mail server must
be able to handle up to 100 recipients for a single message, but I've
found that some servers don't respect that and that the batch size has
to be limited to 50 or even further. On the other hand I suspect that
that "batch" issue only arises inside your own system, so maybe it's not
a problem.

-- 
Peter Moylan                  peter@pmoylan.org
http://www.pmoylan.org