MIAB is failing DMARC for sub-domain mail

I run phplist on a separate server: list.shiftinglight, all mail is sent through MIAB on mx1.shiftinglight. Dmarc fails on mails where the return path is no-reply at shiftinglight (for bounces) where the originating box is list.shiftinglight, could someone explain why that is happening? Any help appreciated header below from a test sent to no-reply (coms and @s replaced as I can’t post more than two links) (ps. Mail sent on through the mx1 does pass everything but still carries this little line of Dmarc fail from when it was received by MIAB)

Received: from mx1.shiftinglightdotcom ([])
by mx1.shiftinglight.xxx (Dovecot) with LMTP id y0hfD+oWkluHaAAAqrHpyw
for ; Fri, 07 Sep 2018 08:12:58 +0200
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
autolearn=no autolearn_force=no version=3.4.0
* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author’s
* domain
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 2.2 HTML_TITLE_SUBJ_DIFF No description available.
X-Spam-Score: 1.1
Received: from list.shiftinglightdotcom (list.shiftinglightdotcom [])
(using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
(No client certificate requested)
by mx1.shiftinglightdotcom (Postfix) with ESMTPSA id 16B0521614
for ; Fri, 7 Sep 2018 08:12:58 +0200 (CEST)
Authentication-Results: mx1.shiftinglight.com; dmarc=fail header.from=shiftinglightdotcom
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftinglightdotcom;
s=mail; t=1536300778;
Received: from www-data by list.shiftinglightdotcom with local (Exim 4.82)
(envelope-from no-reply@shiftinglightdotcom)
id 1fyA02-0005Ta-Ja
for no-reply@shiftinglightdotcom; Fri, 07 Sep 2018 02:12:10 -0400

For what it’s worth:

I have no problem with my main mail address, the problem seems to be with the sub-domain, I’m not sure if it’s something I’m doing (or not doing). Is it that the server is list.shiftinglight but the return and from are shiftinglight? Aha moment, the sub-domain is signing dkim with another selector no longer in DNS will check

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.