Ok, but a hint in the docs that this is an issue would be great. Would probably save others lots of time.
Salut Carlos, sorry for my very late reply.
In /etc/opendkim.conf, SignHeaders must include List-Unsubscribe and List-Unsubscribe-Post, otherwise they won’t be signed and authenticity not proved.
As simple as that.
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
SignHeaders From,To,List-Unsubscribe,List-Unsubscribe-Post
OversignHeaders From