==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.2 PGSQL
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: RHEL 8.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  PGSQL
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? Y
====

Looking at headers for a different reason, and noticed that emails sent to mlmmj are coming back with a dkim failure that the message has been altered.

customheaders shows:

Precedence: bulk
List-Id: <testml@cnf.cornell.edu>
List-Post: <mailto:testml@cnf.cornell.edu>
List-Subscribe: <mailto:testml+subscribe@cnf.cornell.edu?subject=Subscribe>
List-Unsubscribe: <mailto:testml+unsubscribe@cnf.cornell.edu?subject=Unsubscribe>

(I think iredadmin created that)

Headers:

Authentication-Results: spf=pass (sender IP is 128.253.198.225)
smtp.mailfrom=cnf.cornell.edu; dkim=pass (signature was verified)
header.d=cnf.cornell.edu;dkim=fail (signature did not verify)
header.d=cornell.edu;dmarc=pass action=none
header.from=cornell.edu;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of cnf.cornell.edu
designates 128.253.198.225 as permitted sender)
receiver=protection.outlook.com; client-ip=128.253.198.225;
helo=package.cnf.cornell.edu; pr=C
Received: from package.cnf.cornell.edu (128.253.198.225) by
SJ5PEPF000001EC.mail.protection.outlook.com (10.167.242.200) with Microsoft
SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.9253.7
via Frontend Transport; Wed, 29 Oct 2025 21:07:22 +0000
Received: from package.cnf.cornell.edu (localhost [127.0.0.1])
    by package.cnf.cornell.edu (Postfix) with ESMTP id 4cxfvY206szxvR
    for <dwb7@cornell.edu>; Wed, 29 Oct 2025 17:07:21 -0400 (EDT)
Authentication-Results-Original: package.cnf.cornell.edu (amavis); dkim=pass
(2048-bit key) reason="pass (just generated, assumed good)"
header.d=cnf.cornell.edu
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cnf.cornell.edu;
     h=mime-version:list-unsubscribe:list-subscribe:list-post
    :list-id:precedence:content-disposition:content-type:message-id
    :subject:to:from:date; s=dkim; t=1761772040; x=1764364041; bh=iG
    /t9rimo8iYNnEa2AikfuTZufUlOzTu3feEGbAFnuw=; b=j8DB1KelMEhMeygNsF
    1J7MgNoni9LHEI5whyuNbXoSJUyoWziy99ScmiIS/+ICcCUXq8/lIXRLAAzjTu79
    LBpiExnFlvsAHQosR083owB+7GtEfuQH0voBXo9DxWswNlugMX0eKgtODcHoYL9v
    HM6Sa5Og+7+wTj1740MvDm15hUcQiAH0E/Fqpyu2I3AtHMseXv6qf/GEvnjXVMGU
    xr2X4BcKi7afOS77IOqkTjfqwfZaCvm6YQffmvXtLlbipE5uqVPyT7u2xXsze8f3
    gWSs1CrC+UtwMsSjFJruZkMi9ivEzM/OZlblwjCzWsqbUaD5Z7e+jcGe8vKfQIPQ
    XAoA==
Authentication-Results-Original: package.cnf.cornell.edu (amavis); dkim=fail
(1024-bit key) reason="fail (message has been altered)" header.d=cornell.edu
Received: from package.cnf.cornell.edu ([127.0.0.1])
by package.cnf.cornell.edu (package.cnf.cornell.edu [127.0.0.1]) (amavis, port 10027)
with ESMTP id 1oxkEDQXqVGt for <dwb7@cornell.edu>;
Wed, 29 Oct 2025 17:07:20 -0400 (EDT)
Received: from package.cnf.cornell.edu (localhost [127.0.0.1])
    by package.cnf.cornell.edu (Postfix) with ESMTP id 4cxfvX2ZrPzxvR
    for <testml@cnf.cornell.edu>; Wed, 29 Oct 2025 17:07:20 -0400 (EDT)
X-Virus-Scanned: amavis at package.cnf.cornell.edu
Received: from package.cnf.cornell.edu ([127.0.0.1])
by package.cnf.cornell.edu (package.cnf.cornell.edu [127.0.0.1]) (amavis, port 10024)
with ESMTP id T6d7fj2pQQpi for <testml@cnf.cornell.edu>;
Wed, 29 Oct 2025 17:07:19 -0400 (EDT)
Received: from BYAPR08CU003.outbound.protection.outlook.com (mail-byapr08cu00301.outbound.protection.outlook.com [40.93.1.105])
    by package.cnf.cornell.edu (Postfix) with ESMTPS id 4cxfvW2hDMzxvM
    for <testml@cnf.cornell.edu>; Wed, 29 Oct 2025 17:07:19 -0400 (EDT)

It looks like DKIM fails, then it gets resigned, and that initial dkim failure is noticed "up the chain"