On 4/12/2014 6:23 PM, Brian E Carpenter wrote:
Hi,
In the DMARC draft, I noticed this:
Descriptions of the PolicyOverrideTypes:
...
mailing_list: Local heuristics determined that the message arrived
via a mailing list, and thus authentication of the original
message was not expected to succeed.
Could somebody explain what that means and whether it can be used to
mitigate the current issue? Or are substantial changes needed
in the fundamentals of DMARC?
I assume the authors will be adding a discussion of this issue
to the draft.
Regards
Brian
Brian,
The overall problem is that the middle ware, mailing list servers
(MLS) need to change in order to support any DKIM optional add-on
security policy layer.
If the MLS is going to break the integrity and resign the mail, it
could not do this blindly without considering the submitting author
domain security policy.
First it was SSP, then ADSP, now DMARC. Same problem. Unless the
middle ware supports this policy layer, they risk causing distribution
problems at the ADSP and/or DMARC, policy-compliant downlinks. This
was one of the cited interop problem reasons why ADSP was made historic.
So its really a matter of getting wider support at the Mailing List
Software or once again, like it was done for ADSP, promoting the idea
of not supporting the p=reject feature of DMARC.
Keep in mind, this is really only a problem because a "public"
yahoo.com domain, for some odd reason, use a DMARC p=reject and there
is apparently mail distribution down links that support it. The list
servers blindly resigned the mail and there is no 3rd party support
concept in place to handle it.
But it would be precisely what another domain like fedex.com would
want with its restrictive ADSP discardable and DMARC p=reject policies
being used in a public mailing list.
--
HLS