On Sun, December 14, 2014 20:05, Richard Damon wrote: > DMARC says that if a domain requests DMARC protection then any message > that has a RFC5322 domain pointing to it, must be verifiable as coming > from that domain, thus such an address can NOT use a 3rd party (like a > mailing list manager) to deliver a message for it without adding it to > SPF or giving it the DKIM signing keys. > > Since DMARC was intended to protect "high value" emails, like from > something like a bank, this wouldn't normally be a problem. Effectively > emails from a DMARC protected domain shouldn't be used for non-official > communication, and any 3rd party service is presumably trusted so you > can make the needed arrangements. The problem is that YAHOO and AOL > have, via their DMARC settings, declared emails from their domain to be > this type of high value, and in effect that their users are not to use > 3rd party distribution methods (but haven't told their users this). > > Other mailing list systems have adopted some work arounds for this > problem, a common one is to "munge" the From: line to be the list > address (and setting Reply-To: to the poster), or wrapping the message > in a wrapper that is from the list, and the message to be distributed is > included as an attachment. (And some will just reject any message from a > domain that uses DMARC protection) > > The problem isn't really with DMARC, it is doing what it was intended to > do, the problem is the services misusing DMARC. It sounds like if > pushed, they will even admit that they are abusing it, but feel they > need to due to a lot of messages being forged as from them. > > Yes, it is arguably a violation of the RFC's to rewrite the From: > address of a message going through a mailing list manager, but it is one > of the ways to handle the misuse of DMARC that has happened. It comes > down to a question of what are you willing to do to make things "work" > and who are you willing to make bear the brunt of problems. >
DMARC was forced upon the IETF by the big mail hosting companies. The reason that the FROM header is checked instead of the SENDER is because the FROM is what virtually all MUA's display to the end user; and that is what the mail hosting companies want verified. Banks and other 'high value' email sources are red-herrings. They could care less. Nothing of any import is ever sent by email from a bank; Or by anyone else that has any sense (PGP/GPG/SMIME users excepted, maybe). DMARC is doing exactly what was expected of it by the people pushing-for / forcing its adoption. It is also breaking every mailing list manager exactly as was predicted. Mailman MLM has since had a mod made to rewrite the from and set a few other switches to handle SPF. As for it being a violation of RFCs to rewrite the FROM header one has to consider what the source really is for any message coming through a mailing list forwarder. If all the messages sent through a MLM over some period are digested and sent as one message then what should the from id be? If the from id for all the messages sent through a mailing list as a single digest is the MLM itself then why should the same messages sent through the same list individually be treated differently? The role of an MLM is really no different than if you or I forwarded a message we received on to a third party. Who is the FROM id in that case? Arguably, most MLMs have been doing it wrong since the beginning and DMARC is just highlighting the logical inconsistencies and contradictions in prevalent MLM practice. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
