Re: DMARC: perspectives from a listadmin of large open-source lists

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi John,
At 10:34 08-04-2014, John R Levine wrote:
I've never been a big fan of RFC 6377, but this bit seems relevant since strict ADSP policies had pretty much the same problems as strict DMARC policies. 

Strict ADSP policies do cause problems.


   For domains that do publish strict ADSP policies, the originating
   site SHOULD use a separate message stream (see Section 2.5), such as
   a signing and Author subdomain, for the "personal" mail -- a
   subdomain that is different from domain(s) used for other mail
   streams.  This allows each to develop an independent reputation, and
   more stringent policies (including ADSP) can be applied to the mail
   stream(s) that do not go through mailing lists or perhaps do not get
   signed at all.
As far as I know, the "participating MLM" thing has never been implemented, which makes the C in BCP rather suspect. My own MLM signs the outgoing mail and adds an Authentication-Results: header, but largely by default because it's embedded in a mail system that does those things.
There was a message stating that the IETF implemented support for DKIM ( http://www.ietf.org/mail-archive/web/ietf-announce/current/msg09173.html ). Given that there is an existing BCP about DKIM and mailing lists it might be assumed that the IETF is following it. There is a recommendation in the BCP to reject some types of messages.
My mailing list implementation does not break DKIM signatures. I would not describe it as a "participating MLM" as the postmaster does not follow some of the recommendations in that BCP. :-)
Just today I did modify it so that any list mail with a From: address @yahoo.com is re written to @yahoo.com.INVALID. That's the least intrusive way I've been able to come up with to mitigate the damage. It's also similar to what RFC 6858 suggests for delivering EAI mail to systems that can't handle EAI, which is a vaguely similar problem.
I found some other domains which implemented DMARC as described at http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html I suggest taking that into account if you haven't already done it. 

Regards,
S. Moonesamy
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]