[Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

Stephen J. Turnbull stephen at xemacs.org
Sat May 10 05:16:49 CEST 2014

Richard Damon writes:
 > On 5/9/14, 10:13 PM, John Levine wrote:

 > > The correct response is either for senders to stop publishing DMARC
 > > policies that don't match the way their users use mail (fat chance),
 > > or for recipient systems to skip the DMARC checks on mail from sources
 > > that are known to send mail that recipients want but that doesn't
 > > match DMARC's narrow authentication model, e.g., mailing lists and the
 > > Wall Street Journal's mail-an-article button.

GMail is already doing this, although we don't know the algorithm
precisely.  If GMail continues and others join, ostracism of providers
who continue to use inflexible bouncing policies instead of smart
filters becomes more plausible.

I know that's not satisfactory for people whose lists are populated by
AOL and Yahoo users, but I don't know what to say to them.  Their
users are DoS'ing their mailing lists with their addresses, even if
they don't know it.

 > But the wrapped message could pass the DMARC DKIM signature check, if it
 > will exactly matchs the message that came from Yahoo/AOL. (which the
 > phish won't). This says that the List Headers, modified subject, list
 > headers and footers should be added to the wrapping message, not the
 > wrapped message, which also says that the MUA shouldn't throw this away,
 > but combine these with the original message (but in a way that makes it
 > clear which is which).

Sure (and that is what I intended when I suggested wrapping in the
first place), but (a) MUAs don't support DMARC yet, and all the signs
say that the yahoos will deliberately delay implementing MUAs that do,
and (b) many MUAs don't support wrapped messages well at all.

As John put it,

 >> Failing that, all we have left is hacks, none of which are
 >> satisfactory.

We'll see how the on-going talks at the IETF go.  Some results should
be forthcoming "shortly" (that's hearsay, and I can't say any more
because that's exactly what I was told by a source close to the center
of the process).

More information about the Mailman-Users mailing list