Mailman's solution to DMARC makes List-Id useless
Hi,
I'm on a mailing list that recently switched the mailman DMARC setting to "Munge from". IMO, the munging of the From: line is fine as far as I'm concerned and I see how that fixes the DMARC problem.
However, what is really annoying is that it takes the original From: line and puts it on the Reply-To: line and there's no way to turn this off.
I can't seem to find any explanation of why anyone thinks this is a good idea. Maybe someone here can explain it to me.
Below is why I think it's a bad idea. Why can't we encode the original email address in a comment or quoted token on the From: line instead of jamming it onto Reply-To?
This is how I'm seeing mailing list messages now:
To: Hal Finkel <hfinkel@anl.gov>
cc: cfe-dev@lists.llvm.org,
Commit Messages and Patches for LLVM <llvm-commits@lists.llvm.org>
From: Lang Hames via cfe-dev <cfe-dev@lists.llvm.org>Reply-To: Lang Hames <lhames@gmail.com>
The reply-to is going to the sender instead of the list, which is making people cc the mailing list in order to get things to go back to the list. From what I read of DMARC, it's the munging of the From: line that is needed in order to have messages pass the DMARC checks. To me this makes sense -- the mailing list domain is sending the message to the list and the appropriate domain checks need to be made against the mailing list's domain, not the original author of the mailing list message.
What I'm not understanding is how DMARC is mandating that Reply-To: go back to the original author, and not the mailing list, as is the usualy convention: public conversations from a mailing list cycle back to the mailing list by default and only fork into a private conversation when specifically requested.
What's happening now is that people are doing "reply to all" in order to get the mailing list included, which makes *me* the recipient of their reply and the mailing list cc'ed. Then the mailing list software notices that the message was sent *to* an address already on the mailing list, so it doesn't send me a second copy of the message.
This means that every time someone replies to my messages on the mailing list, and all subsequent replies in the thread because everyone else will do reply-to-all as well, I'll be getting all these private messages that are actually copies of the public messages but I won't be getting the public messages.
This makes the entire List-Id field useless because none of these replies to threads in which I participate will come back to me through the mailing list, but instead as private copies of public messages sent to the mailing list. As a result, it basically screws up all mailing list filtering -- which was the whole point of the list-id field.
"The Direct3D Graphics Pipeline" free book <http://tinyurl.com/d3d-pipeline> The Computer Graphics Museum <http://ComputerGraphicsMuseum.org> The Terminals Wiki <http://terminals.classiccmp.org> Legalize Adulthood! (my blog) <http://LegalizeAdulthood.wordpress.com>
On 08/20/2015 10:13 AM, Richard wrote:
It is there to make a "reply" and "reply-all" actions on posts with munged From: be as consistent as possible with the same action on a non-munged post, and to expose the poster's address in a header which is normally displayed by MUAs.
And without munging, the same post would be
<llvm-commits@lists.llvm.org>
From: Lang Hames <lhames@gmail.com>
and reply would still go to the sender in From:
And if you used dmarc_moderation_action instead of from_is_list to munge the from, only posts From: domains which publish DMARC reject (or optionally, quarantine) policies would be munged. The policy for gmail.com in 'none'.
If you want this behavior, set the list's reply_goes_to_list to "This list", then with current Mailman, the above becomes
<llvm-commits@lists.llvm.org>,
Whether or not to munge Reply-To: to the list address is controversial and has been argued and flamed multiple times for years. See <http://marc.merlins.org/netrants/listreplyto.html>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Richard writes:
Because that makes it very inconvenient to reply to author. On some lists, that's a crucial feature. For example, blind people require excessive effort for cutting and pasting, but typically have access to features that make selectively including addresses already present in the headers very simple. So it *must* be at least an option to include the author as a real address in From or Reply-To, and I believe it should be the default (see below).
Actually, what happens is that the message *fails* the DMARC checks in such a way that DMARC specifies the failure should be ignored, and the message handled as though DMARC didn't even exist.
That's not a tenable interpretation. There is a header for the purpose of identifying the sender in your sense, its name is "Sender", and the designers of DMARC deliberately rejected its use for this purpose (for good reason).
As a pragmatic matter, mailing list domains rarely even have a _dmarc DNS record, so such checks cannot be made effectively.
In any case, "From" is *defined* by RFC 5322 to be the *content author*'s address for various purposes (such as identification and reply). It is also the preferred address for automatic reply to author unless Reply-To is set. The designers of Internet mail made these decisions based on hard thought and long practical experience because they make it possible for an MUA to handle both the common cases and the edge cases smoothly.
The email RFCs do not envision *anybody but the original sender* setting the From header, so one can't say anything with authority, but my take is that if you insist on breaking the From header, you should put the author in Reply-To so that receiving MUAs can find her address and automatically reply to it.
What I'm not understanding is how DMARC is mandating that Reply-To: go back to the original author,
It doesn't. It's the basic Internet message standard (currently RFC 5322) that governs From and Reply-To. As Mark explained, Mailman's current behavior when From-munging is a delicate balancing act to preserve as much of the "normal" operation of MUAs as possible without triggering DMARC rejects.
DMARC p=reject gives list admins an unpleasant choice: (1) violate the mail standards and suffer various degradations of service because others in the mail system assume conformance (eg, your "wrong duplicate" problem), (2) tell your p=reject users that their posts are going to be rejected or discarded by many subscribers, or (3) stop decorating posts with [List] tags or material prefixed and affixed to the message body (so that the originator's DKIM signature will remain valid and the DMARC checks will pass).
N.B. The tech staff from Yahoo! and AOL have acknowledged (on the ietf-dmarc mailing list) that their employers are knowingly breaking mailing lists (and other services) to address their security fiascos. The designers of DMARC have always maintained that the Yahoo!/AOL use case is abusive -- DMARC was designed to protect official mail to customers sent on behalf of corporations by their employees, not the general use mail of users with addresses at freemail providers. In other words, mailing lists just shouldn't receive mail from p=reject domains, ever. No problem -- until Yahoo! and AOL decided to *create* one.
IMO, given those facts, posting from a Yahoo! or AOL address is just plain rude. (I can and do get away with banning their posts. I wish everybody could do that.)
The "usual convention" (of munging Reply-To) violates the mail RFCs and breaks interoperability, and should be entirely unnecessary now that we've had List-Post for more than a decade. Consider an MUA whose default reply function looks in Reply-To first, then in List-Post, then in From. Why doesn't everybody's do that? It's trivial to implement. :-(
As Mark points out, the first thing to do is to make sure you set dmarc_moderation_action, not from_is_list. Then only Yahoo! and AOL posters are likely to cause pain. Hopefully they are few....
On 08/20/2015 10:13 AM, Richard wrote:
It is there to make a "reply" and "reply-all" actions on posts with munged From: be as consistent as possible with the same action on a non-munged post, and to expose the poster's address in a header which is normally displayed by MUAs.
And without munging, the same post would be
<llvm-commits@lists.llvm.org>
From: Lang Hames <lhames@gmail.com>
and reply would still go to the sender in From:
And if you used dmarc_moderation_action instead of from_is_list to munge the from, only posts From: domains which publish DMARC reject (or optionally, quarantine) policies would be munged. The policy for gmail.com in 'none'.
If you want this behavior, set the list's reply_goes_to_list to "This list", then with current Mailman, the above becomes
<llvm-commits@lists.llvm.org>,
Whether or not to munge Reply-To: to the list address is controversial and has been argued and flamed multiple times for years. See <http://marc.merlins.org/netrants/listreplyto.html>.
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
Richard writes:
Because that makes it very inconvenient to reply to author. On some lists, that's a crucial feature. For example, blind people require excessive effort for cutting and pasting, but typically have access to features that make selectively including addresses already present in the headers very simple. So it *must* be at least an option to include the author as a real address in From or Reply-To, and I believe it should be the default (see below).
Actually, what happens is that the message *fails* the DMARC checks in such a way that DMARC specifies the failure should be ignored, and the message handled as though DMARC didn't even exist.
That's not a tenable interpretation. There is a header for the purpose of identifying the sender in your sense, its name is "Sender", and the designers of DMARC deliberately rejected its use for this purpose (for good reason).
As a pragmatic matter, mailing list domains rarely even have a _dmarc DNS record, so such checks cannot be made effectively.
In any case, "From" is *defined* by RFC 5322 to be the *content author*'s address for various purposes (such as identification and reply). It is also the preferred address for automatic reply to author unless Reply-To is set. The designers of Internet mail made these decisions based on hard thought and long practical experience because they make it possible for an MUA to handle both the common cases and the edge cases smoothly.
The email RFCs do not envision *anybody but the original sender* setting the From header, so one can't say anything with authority, but my take is that if you insist on breaking the From header, you should put the author in Reply-To so that receiving MUAs can find her address and automatically reply to it.
What I'm not understanding is how DMARC is mandating that Reply-To: go back to the original author,
It doesn't. It's the basic Internet message standard (currently RFC 5322) that governs From and Reply-To. As Mark explained, Mailman's current behavior when From-munging is a delicate balancing act to preserve as much of the "normal" operation of MUAs as possible without triggering DMARC rejects.
DMARC p=reject gives list admins an unpleasant choice: (1) violate the mail standards and suffer various degradations of service because others in the mail system assume conformance (eg, your "wrong duplicate" problem), (2) tell your p=reject users that their posts are going to be rejected or discarded by many subscribers, or (3) stop decorating posts with [List] tags or material prefixed and affixed to the message body (so that the originator's DKIM signature will remain valid and the DMARC checks will pass).
N.B. The tech staff from Yahoo! and AOL have acknowledged (on the ietf-dmarc mailing list) that their employers are knowingly breaking mailing lists (and other services) to address their security fiascos. The designers of DMARC have always maintained that the Yahoo!/AOL use case is abusive -- DMARC was designed to protect official mail to customers sent on behalf of corporations by their employees, not the general use mail of users with addresses at freemail providers. In other words, mailing lists just shouldn't receive mail from p=reject domains, ever. No problem -- until Yahoo! and AOL decided to *create* one.
IMO, given those facts, posting from a Yahoo! or AOL address is just plain rude. (I can and do get away with banning their posts. I wish everybody could do that.)
The "usual convention" (of munging Reply-To) violates the mail RFCs and breaks interoperability, and should be entirely unnecessary now that we've had List-Post for more than a decade. Consider an MUA whose default reply function looks in Reply-To first, then in List-Post, then in From. Why doesn't everybody's do that? It's trivial to implement. :-(
As Mark points out, the first thing to do is to make sure you set dmarc_moderation_action, not from_is_list. Then only Yahoo! and AOL posters are likely to cause pain. Hopefully they are few....
participants (3)
-
Mark Sapiro -
Richard -
Stephen J. Turnbull