On 12/14/14, 10:10 PM, James B. Byrne wrote:
> On Sun, December 14, 2014 20:05, Richard Damon wrote:
>> DMARC says that if a domain requests DMARC protection then any
>> message that has a RFC5322 domain pointing to it, must be
>> verifiable as coming from that domain, thus such an address can
>> NOT use a 3rd party (like a mailing list manager) to deliver a
>> message for it without adding it to SPF or giving it the DKIM
>> signing keys.
>>
>> Since DMARC was intended to protect "high value" emails, like from
>> something like a bank, this wouldn't normally be a problem.
>> Effectively emails from a DMARC protected domain shouldn't be used
>> for non-official communication, and any 3rd party service is
>> presumably trusted so you can make the needed arrangements. The
>> problem is that YAHOO and AOL have, via their DMARC settings,
>> declared emails from their domain to be this type of high value,
>> and in effect that their users are not to use 3rd party
>> distribution methods (but haven't told their users this).
>>
>> Other mailing list systems have adopted some work arounds for this
>> problem, a common one is to "munge" the From: line to be the list
>> address (and setting Reply-To: to the poster), or wrapping the
>> message in a wrapper that is from the list, and the message to be
>> distributed is included as an attachment. (And some will just
>> reject any message from a domain that uses DMARC protection)
>>
>> The problem isn't really with DMARC, it is doing what it was
>> intended to do, the problem is the services misusing DMARC. It
>> sounds like if pushed, they will even admit that they are abusing
>> it, but feel they need to due to a lot of messages being forged as
>> from them.
>>
>> Yes, it is arguably a violation of the RFC's to rewrite the From:
>> address of a message going through a mailing list manager, but it
>> is one of the ways to handle the misuse of DMARC that has
>> happened. It comes down to a question of what are you willing to do
>> to make things "work" and who are you willing to make bear the
>> brunt of problems.
>>
>
> DMARC was forced upon the IETF by the big mail hosting companies. The
> reason that the FROM header is checked instead of the SENDER is
> because the FROM is what virtually all MUA's display to the end
> user; and that is what the mail hosting companies want verified.
> Banks and other 'high value' email sources are red-herrings. They
> could care less. Nothing of any import is ever sent by email from a
> bank; Or by anyone else that has any sense (PGP/GPG/SMIME users
> excepted, maybe).
I regularly get important messages from Financial Institutions.
Yes, they will typically ask me to log into their web site for confirmation
of the message or to send "sensitive" information, but they do
send notices by email that they hope I will see.
In fact, it is only because they DO send me email that a scammer has
much chance of succeeding by sending a fake message, hoping that I
will click on a link taking me to the wrong place.
> DMARC is doing exactly what was expected of it by the people
> pushing-for / forcing its adoption. It is also breaking every
> mailing list manager exactly as was predicted. Mailman MLM has
> since had a mod made to rewrite the from and set a few other switches
> to handle SPF.
>
> As for it being a violation of RFCs to rewrite the FROM header one
> has to consider what the source really is for any message coming
> through a mailing list forwarder. If all the messages sent through
> a MLM over some period are digested and sent as one message then
> what should the from id be? If the from id for all the messages
> sent through a mailing list as a single digest is the MLM itself then
> why should the same messages sent through the same list individually
> be treated differently?
If you read the standard, is says:
The originator fields indicate the mailbox(es) of the source of the
message. The "From:" field specifies the author(s) of the message,
that is, the mailbox(es) of the person(s) or system(s) responsible
for the writing of the message. The "Sender:" field specifies the
mailbox of the agent responsible for the actual transmission of the
message. For example, if a secretary were to send a message for
another person, the mailbox of the secretary would appear in the
"Sender:" field and the mailbox of the actual author would appear in
the "From:" field.
The *AUTHOR* of the message is the person who originally wrote it, not
the mailing list.
I digest is something different, the digest, as a whole, WAS created by
the list,
just like if a person collects a number of pieces written by other
people, that
person IS the author of the collection, and the individuals who wrote
the pieces are the
authors of the pieces, but not the whole.
The mailing list software is NOT the author of the individual messages, but
much more like the secretary mentioned in the RFC.
(I did say arguably because some people differ in this intent)
>
> The role of an MLM is really no different than if you or I forwarded
> a message we received on to a third party. Who is the FROM id in
> that case? Arguably, most MLMs have been doing it wrong since the
> beginning and DMARC is just highlighting the logical inconsistencies
> and contradictions in prevalent MLM practice.
>
The big difference is that the MLM is an AUTOMATED PROCESS (not
significantly
different from postfix). If I manually forward a message, that is not
(by definition)
an automated process, and generally the MUA will build a new message
containing
the original message (and possibly my notes about the message), so this
is reasonable
to change authorship of the forwarding to be the forwarder. As a point
of reference,
when you setup and automated forward rule for a mailbox to some other
mailbox,
THAT forwarding does NOT normally change the From: line.
--
Richard Damon
