Hope I'm not going too off-topic here (Yahoo Groups, AOL reject domains, postfix hack). Firstly thanks to Mark and everyone who's been thinking around the DMARC p=reject problem, developing workarounds, talking to IETF and also Yahoo and AOL to try to keep email working reliably.

On 09/05/14 22:50, Mark Sapiro wrote:

I finally got around to testing this.

Note that the situation changed the day before you did the test. There is an announcement dated 8 May here: <http://yahoogroups.tumblr.com/post/85163779041/dmarc-related-changes-in-yaho...> "Following the recent changes in Yahoo DMARC policy to protect users from email spam, we’ve made changes to how Yahoo Groups sends mails to members’ inboxes. ... With these changes we are addressing deliverability issues due to DMARC adoption by mail service providers."

Previously it seems aol.com addresses were causing problems for Yahoo groups, for example <https://answers.yahoo.com/question/index?qid=20140506105019AADVtNA>. Also BTW AOL has published p=reject on two other domains: $ dig +short txt _dmarc.aim.com "v=DMARC1\; p=reject\; pct=100\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com\;" $ dig +short txt _dmarc.cs.com "v=DMARC1\; p=reject\; pct=100\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com\;"

So far I only know of yahoo.com, aol.com, aim.com and cs.com that have become unusable with standard lists.

I posted three times to my test Yahoo group from 'Mark Sapiro <my_aol_address@aol.com>'. One post with the group set to send replies to the group and one post with the group set to send replies to the sender and one post with the group set to send replies to the sender and the group.

In all cases, the posts were sent with

From: "Mark Sapiro my_aol_address@aol.com [my_yahoo_groupname]" <my_yahoo_groupname@yahoogroups.com>

Also note that this new rewriting by Yahoo groups applies to all From addresses, not just AOL.com. In itself, I've reservations about using the group posting address. What if (for example) Reply-To is not honoured... (see below). Plus adding the address to the real name is confusing.

Our listserv is stuck with Debian stable (2.1.15), so I implemented From rewriting in Postfix. (In case any Postfix postmaster is interested, a simple way is creating a cleanup daemon which does header_checks using a REPLACE rule on the From: line, then applying -o cleanup_service_name to the smtpd daemon that receives email back from Mailman.)

Anyway, rather than the list address masquerading as the sender's real name, I thought it best to raise awareness that there's a problem with the yahoo.com/aol.com address in the From line, so make it very clear at the start of the real name, and change the address to an auto-responder with a description of the problem.

/^From: (.+)\@(aol|cs|aim|yahoo)\.com($|>.*| .*)/ REPLACE From: (broken-address) $1@$2-is-broken.[a domain under my control]$3

Mailman adds a Reply-To, so other than the RFCs, IMHO it's not that important what the actual address in the From line is, although it should preserve the original. So far I've not had complaints from list owners about the real name rewriting with prefixing the literal "[broken-address]", but maybe it should be shorter and less ugly. It still needs to be prominent, as most users might otherwise not get the fact that the From address is not the address of the sender and they shouldn't add it to their address book. Like Dave Nathanson, I don't like "via".

In the first case (replies to group), there was

Reply-To: <my_yahoo_groupname@yahoogroups.com>

in the post from the group. This seems correct, and my actual address was in the display name portion of From:

In the second case, there was no Reply-To: in the message meaning a simple 'reply' was addressed to the From: address which I suppose is fairly easy to edit to go to me, but without editing, 'reply' goes to the group which is wrong.

This is clearly a bug, as it doesn't follow the announcement 'When replying to a Group message, Group “Reply-To” settings of the Group will continue to be honored on the Reply compose screen on the web and in your email service.'

Has caused a Yahoo list owners to complain starting 16 hours ago <https://answers.yahoo.com/dir/index?sid=396546285>. Among other things, it increases list traffic, presents privacy problems, and can get a list address automatically added to a users' address book under the wrong name. Doesn't really inspire confidence in Yahoo, I'm afraid.

In the third (reply to both) case there is a

Reply-To: my_yahoo_groupname@yahoogroups.com,Mark Sapiro <my_aol_address@aol.com>

which is correct.

So the bottom line is Yahoo groups does From: header munging when necessary because of DMARC policies on the From: domain and they manage Reply-To: well in two cases out of three.

2 out of 3 is quite bad if it's *your* Yahoo list that's supposed to be set to Reply-To sender. Another weird thing I've seen is occasional email From @aol.com that wasn't DKIM signed, which breaks forwarding because it doesn't pass SPF either. Meanwhile, I don't see DMARC having an impact on phishing, at least not one that phishers can't easily adapt to.

DMARC.org links to http://blog.threadable.com/how-threadable-solved-the-dmarc-problem which says "Was this the right thing for Yahoo to do? Not a chance. A restricted DMARC policy makes sense for domains on which phishing is a serious risk, and *who are not also email service providers*. Because lists tend to unsubscribe addresses that generate bounces, Yahoo is not only breaking email for their own customers, but for everyone else."

I'm still hoping Yahoo and AOL aren't waiting to save face to reverse their policy. I do wonder if some major list provider or owner might sue them for causing them to lose lots of list subscribers.

All best wishes

CK