On 12/14/14, 7:36 PM, Wietse Venema wrote:
Christian R??ner:
I found the answer and I fear there is no chance to solve this:
https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1
It's the problem with DMARC. Nearly the same problem that I posted
some days ago. It's all about the RFC5322 from address. DMARC uses
this information and checks SPF and DKIM against this header field.
So it is not enough to have SPF passed; it also MUST have been
sent from a SPF legitimated system.
DMARC "verifies" the From: header against SPF, DKIM or both, but
only a poorly-informed person would require that the From: address
*always* verifies with SPF.
It would be unreasonable to expect that mailing list managers replace
the From: address of mailing list postings to match the list server's
IP addresses.
Wietse
DMARC says that if a domain requests DMARC protection then any message
that has a RFC5322 domain pointing to it, must be verifiable as coming
from that domain, thus such an address can NOT use a 3rd party (like a
mailing list manager) to deliver a message for it without adding it to
SPF or giving it the DKIM signing keys.
Since DMARC was intended to protect "high value" emails, like from
something like a bank, this wouldn't normally be a problem. Effectively
emails from a DMARC protected domain shouldn't be used for non-official
communication, and any 3rd party service is presumably trusted so you
can make the needed arrangements. The problem is that YAHOO and AOL
have, via their DMARC settings, declared emails from their domain to be
this type of high value, and in effect that their users are not to use
3rd party distribution methods (but haven't told their users this).
Other mailing list systems have adopted some work arounds for this
problem, a common one is to "munge" the From: line to be the list
address (and setting Reply-To: to the poster), or wrapping the message
in a wrapper that is from the list, and the message to be distributed is
included as an attachment. (And some will just reject any message from a
domain that uses DMARC protection)
The problem isn't really with DMARC, it is doing what it was intended to
do, the problem is the services misusing DMARC. It sounds like if
pushed, they will even admit that they are abusing it, but feel they
need to due to a lot of messages being forged as from them.
Yes, it is arguably a violation of the RFC's to rewrite the From:
address of a message going through a mailing list manager, but it is one
of the ways to handle the misuse of DMARC that has happened. It comes
down to a question of what are you willing to do to make things "work"
and who are you willing to make bear the brunt of problems.
--
Richard Damon
