[Mailman-Developers] Camera-ready option to mitigate DMARC issues

Mark Sapiro mark at msapiro.net
Sat Nov 5 14:51:13 EDT 2016

On 11/05/2016 04:11 AM, Alessandro Vesely wrote:
> The idea is to add a footer only in case it is not present, similar to
> what is done with subject_prefix.  By properly setting both of them, a
> sender can submit what can be called a camera-ready post.  Since no
> change applies, no DKIM signature breaks.  Hence,
> dmarc_moderation_action is not needed for such posts.  It is not even
> necessary to check author's domain policy.

Mailman could conceivably keep track of whether it has changed any
headers or anything in the body of the post, but it's more complicated
than that. The first big problem is the Munge From or Wrap Message
transformations are applied before any msg_header or msg_footer is added
(or maybe added).

I.e. in both MM 2.1 and MM 3, the DMARC mitigations are applied in the
incoming handler pipeline before the message is queued for delivery
processing. Various decorations such as adding msg_header and msg_footer
and modifying To: depend on "personalization" and have to be done by
delivery processing on a per-recipient basis. In fact, the "camera
ready" notion can't apply to any post that is going to be personalized
in any way. This in itself would limit the usefulness.

It would be more feasible to do this by the poster adding a
"X-Camera-Ready:" header to the post saying don't transform my message,
but this is unacceptable as it would bypass content filtering,
personalization and various other things.

> I'm not familiar with Mailman administration, so I ask your opinion. 
> How long would it take to code this option?

How many angels can dance on the head of a pin?

> How useful would it be?

In my opinion, certainly not enough to justify the effort in trying and
the inevitable bug reports that would follow from all the edge cases.

> Camera-ready posts would be created by hands, by cleverly configuring
> some email client, or by using purposely written add-ons.  They could
> also be done by MSAs who care about the damage they cause by publishing
> p=reject --the process can certainly be standardized and automated.

How does the sender's automated process even know what msg_header and
msg_footer will be added by the list?

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Developers mailing list