Re: (DMARC) Why mailing lists are only sort of special

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



MH Michael Hammer (5304) wrote:

-----Original Message-----
From: ietf [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Yoav Nir
Sent: Thursday, April 17, 2014 9:27 AM
To: mrex@xxxxxxx
Cc: ietf@xxxxxxxx
Subject: Re: (DMARC) Why mailing lists are only sort of special


On Apr 17, 2014, at 4:11 PM, Martin Rex <mrex@xxxxxxx> wrote:

Yoav Nir wrote:
On Apr 17, 2014, at 9:35 AM, Dave Cridland <dave@xxxxxxxxxxxx> wrote:
Right now, my MUA treats this as a message "From John R Levine
<johnl@xxxxxxxxx>". This means that any policy on the message
origination comes from looking solely at the taugh.com domain. We'll
pretend it has a DMARC policy. Herein lies the Yahoo/DMARC issue,
because unless your policy essentially stipulates that the IETF is
allowed to spoof you, we're stuck.
Then perhaps this is what needs to change. John R Levine did not send
you a message. He sent a message to the list. It is the list software
that sent you a message. So perhaps the From field should have been
?From: IETF Mailing list on behalf of John R Levine <ietf@xxxxxxxx>?.
But that is EXACTLY what the IETF mailing list exploder *IS* doing
exactly as it has been specified for ages:

https://tools.ietf.org/html/rfc822#section-4.4.2
https://tools.ietf.org/html/rfc822#appendix-A.2

https://tools.ietf.org/html/rfc5322#section-3.6.2

            The "From:" field specifies the author(s) of the message,
   that is, the mailbox(es) of the person(s) or system(s) responsible
   for the writing of the message.  The "Sender:" field specifies the
   mailbox of the agent responsible for the actual transmission of the
   message.

  From: Yoav Nir <ynir.ietf@xxxxxxxxx>
  Subject: Re: (DMARC) Why mailing lists are only sort of special
  Errors-To: ietf-bounces@xxxxxxxx
  Sender: ietf <ietf-bounces@xxxxxxxx>
  Date: Thu, 17 Apr 2014 13:50:30 +0300
  Message-ID: <B3467912-BDCA-4AE8-9939-60013DA99267@xxxxxxxxx>
  To: Dave Cridland <dave@xxxxxxxxxxxx>
  CC: "ietf@xxxxxxxx" <ietf@xxxxxxxx>


Something as old as Outlook 2003 will properly display a message that
is received with a "Sender:" as "<Sender> on behalf of <From>"
A client as new as Mail.app on Mac OS X 10.9 does not.

Obviously the Sender: field is not where the DMARC implementations use
for checking policy.

Yoav, this is by design.

There is no reliable way to determine the relationship between the Sender:field and the From: field from an authentication and authorization perspective at the domain level unless both are within the same domain space. Other than "I say so", how do we know that the Sender IS truly acting on behalf of the author in the From

Well - if the originating system were to include To: in the signature, and it matched Sender: that would go a long way.

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]