> * Suspend posting permission of all yahoo.com addresses, to limit damage Mailman admins: You can find all subscribers with a yahoo address from the mailman list admin page: 1. select "Membership List" 2. enter "yahoo" in the search box 3. click "Search" Regards Brian On 08/04/2014 08:11, John Levine wrote: > DMARC is what one might call an emerging e-mail security scheme. > There's a draft on it at draft-kucherawy-dmarc-base-04, intended for > the independent stream. It's emerging pretty fast, since many of the > largest mail systems in the world have already implemented it, > including Gmail, Hotmail/MSN/Outlook, Comcast, and Yahoo. > > DMARC lets a domain owner make assertions about the From: address, in > particular that mail with their domain on the From: line will have a > DKIM signature with the same domain, or a bounce address in the same > domain that will pass SPF. They can also offer policy advice about > what to do with mail that doesn't have matching DKIM or SPF, ranging > from nothing to reject the mail in the SMTP session. The assertions > are in the DNS, in a TXT record at _dmarc.<domain>. You can see mine > at _dmarc.taugh.com. > > For a lot of mail, notably bulk mail sent by companies, DMARC works > great. For other kinds of mail it works less great, because like > every mail security system, it has an implicit model of the way mail > is delivered that is similar but not identical to the way mail is > actually delivered. > > Mailing lists are a particular weak spot for DMARC. Lists invarably > use their own bounce address in their own domain, so the SPF doesn't > match. Lists generally modify messages via subject tags, body footers, > attachment stripping, and other useful features that break the DKIM > signature. So on even the most legitimate list mail like, say, the > IETF's, most of the mail fails the DMARC assertions, not due to the > lists doing anything "wrong". > > The reason this matters is that over the weekend Yahoo published a > DMARC record with a policy saying to reject all yahoo.com mail that > fails DMARC. I noticed this because I got a blizzard of bounces from > my church mailing list, when a subscriber sent a message from her > yahoo.com account, and the list got a whole bunch of rejections from > gmail, Yahoo, Hotmail, Comcast, and Yahoo itself. This is definitely > a DMARC problem, the bounces say so. > > The problem for mailing lists isn't limited to the Yahoo subscribers. > Since Yahoo mail provokes bounces from lots of other mail systems, > innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo > subscribers' messages, but all those bounces are likely to bounce them > off the lists. A few years back we had a similar problem due to an > overstrict implementation of DKIM ADSP, but in this case, DMARC is > doing what Yahoo is telling it to do. > > Suggestions: > > * Suspend posting permission of all yahoo.com addresses, to limit damage > > * Tell Yahoo users to get a new mail account somewhere else, pronto, if > they want to continue using mailing lists > > * If you know people at Yahoo, ask if perhaps this wasn't such a good idea > > R's, > John > >