Yahoo breaks every mailing list in the world including the IETF's

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



DMARC is what one might call an emerging e-mail security scheme.
There's a draft on it at draft-kucherawy-dmarc-base-04, intended for
the independent stream.  It's emerging pretty fast, since many of the
largest mail systems in the world have already implemented it,
including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo.

DMARC lets a domain owner make assertions about the From: address, in
particular that mail with their domain on the From: line will have a
DKIM signature with the same domain, or a bounce address in the same
domain that will pass SPF.  They can also offer policy advice about
what to do with mail that doesn't have matching DKIM or SPF, ranging
from nothing to reject the mail in the SMTP session.  The assertions
are in the DNS, in a TXT record at _dmarc.<domain>.  You can see mine
at _dmarc.taugh.com.

For a lot of mail, notably bulk mail sent by companies, DMARC works
great.  For other kinds of mail it works less great, because like
every mail security system, it has an implicit model of the way mail
is delivered that is similar but not identical to the way mail is
actually delivered.

Mailing lists are a particular weak spot for DMARC.  Lists invarably
use their own bounce address in their own domain, so the SPF doesn't
match. Lists generally modify messages via subject tags, body footers,
attachment stripping, and other useful features that break the DKIM
signature.  So on even the most legitimate list mail like, say, the
IETF's, most of the mail fails the DMARC assertions, not due to the
lists doing anything "wrong".

The reason this matters is that over the weekend Yahoo published a
DMARC record with a policy saying to reject all yahoo.com mail that
fails DMARC.  I noticed this because I got a blizzard of bounces from
my church mailing list, when a subscriber sent a message from her
yahoo.com account, and the list got a whole bunch of rejections from
gmail, Yahoo, Hotmail, Comcast, and Yahoo itself.  This is definitely
a DMARC problem, the bounces say so.

The problem for mailing lists isn't limited to the Yahoo subscribers.
Since Yahoo mail provokes bounces from lots of other mail systems,
innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo
subscribers' messages, but all those bounces are likely to bounce them
off the lists.  A few years back we had a similar problem due to an
overstrict implementation of DKIM ADSP, but in this case, DMARC is
doing what Yahoo is telling it to do.

Suggestions:

* Suspend posting permission of all yahoo.com addresses, to limit damage

* Tell Yahoo users to get a new mail account somewhere else, pronto, if
  they want to continue using mailing lists

* If you know people at Yahoo, ask if perhaps this wasn't such a good idea

R's,
John





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]