[Mailman-Users] DMARC and From header munging

Lindsay Haisley fmouse at fmp.com
Thu Apr 17 20:50:37 CEST 2014 

On Thu, 2014-04-17 at 11:29 -0700, Mark Sapiro wrote:
> On 04/17/2014 11:01 AM, Lindsay Haisley wrote:
> > It occurred to me that one possible variation on From: header munging
> > which wouldn't break any applications depending on this being an actual,
> > working address for a post's author, while still passing DMARC
> > authentication, would be for Mailman to change the From: address to a
> > VERP-like address with the author's address encapsulated within an
> > address @ the list server.  Any mail received by the list server for
> > this address would have its address parsed by Mailman and be redirected
> > to the original author's real email address.  Would this pass RFC
> > compliance?
> 
> 
> It would probably be RFC compliant as long as the from address reliably
> worked to send to the author, but there are other problems.
> 
> The first that comes to mind is suppose a yahoo.com user replies to a
> post originally From: another yahoo.com user. There may be DMARC issues
> with the delivery of this reply from the Mailman server to the original
> poster.
> 
> Maybe not because the forwarding of the reply is a pass-through that
> *probably* won't break a DKIM signature.

Well it does come up against the long-standing issue with SPF regarding
email redirection, and if an email doesn't come from a mail server
supporting DKIM, then there would be an issues in this case.

> But then what if the original poster had included a Reply-To: to an
> alternate address. This might result in a reply goint to the original
> From: instead of the original Reply-To:.

This is, as I understand it, a MUA issue.  Doesn't a reply _always_ go
to a Reply-To: address by default?  I don't see how munging of the From:
address could affect this behavior.

> This implies that the "verp like" encoding should mangle things like
> "example.com" so they don't look like domain names which could make them
> difficult to parse.

I'm already using AES encryption/decryption in Mailman to put the
recipient address into the Resent-Message-ID: header in a form that
AOL's brain-dead TOS report system can't redact.  This is the same kind
of problem.  Mangling wouldn't even have to be that sophisticated.
ROT13 would probably do.

-- 
Lindsay Haisley       | "Everything works if you let it"
FMP Computer Services |
512-259-1190          |          --- The Roadie
http://www.fmp.com    |

More information about the Mailman-Users mailing list