Re: (DMARC) Why mailing lists are only sort of special

[Miles Fidelman <mfidelman@xxxxxxxxxxxxxxxx>]

MH Michael Hammer (5304) wrote:
> > -----Original Message-----
> > From: ietf [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Yoav Nir
> > Sent: Thursday, April 17, 2014 9:27 AM
> > To: mrex@xxxxxxx
> > Cc: ietf@xxxxxxxx
> > Subject: Re: (DMARC) Why mailing lists are only sort of special
> >
> >
> > On Apr 17, 2014, at 4:11 PM, Martin Rex <mrex@xxxxxxx> wrote:
> >
> > > Yoav Nir wrote:
> > > > On Apr 17, 2014, at 9:35 AM, Dave Cridland <dave@xxxxxxxxxxxx> wrote:
> > > > > Right now, my MUA treats this as a message "From John R Levine
> > > > > <johnl@xxxxxxxxx>". This means that any policy on the message
> > > > > origination comes from looking solely at the taugh.com domain. We'll
> > > > > pretend it has a DMARC policy. Herein lies the Yahoo/DMARC issue,
> > > > > because unless your policy essentially stipulates that the IETF is
> > > > > allowed to spoof you, we're stuck.
> > > > Then perhaps this is what needs to change. John R Levine did not send
> > > > you a message. He sent a message to the list. It is the list software
> > > > that sent you a message. So perhaps the From field should have been
> > > > ?From: IETF Mailing list on behalf of John R Levine <ietf@xxxxxxxx>?.
> > > But that is EXACTLY what the IETF mailing list exploder *IS* doing
> > > exactly as it has been specified for ages:
> > >
> > > https://tools.ietf.org/html/rfc822#section-4.4.2
> > > https://tools.ietf.org/html/rfc822#appendix-A.2
> > >
> > > https://tools.ietf.org/html/rfc5322#section-3.6.2
> > >
> > >             The "From:" field specifies the author(s) of the message,
> > >    that is, the mailbox(es) of the person(s) or system(s) responsible
> > >    for the writing of the message.  The "Sender:" field specifies the
> > >    mailbox of the agent responsible for the actual transmission of the
> > >    message.
> > >
> > >   From: Yoav Nir <ynir.ietf@xxxxxxxxx>
> > >   Subject: Re: (DMARC) Why mailing lists are only sort of special
> > >   Errors-To: ietf-bounces@xxxxxxxx
> > >   Sender: ietf <ietf-bounces@xxxxxxxx>
> > >   Date: Thu, 17 Apr 2014 13:50:30 +0300
> > >   Message-ID: <B3467912-BDCA-4AE8-9939-60013DA99267@xxxxxxxxx>
> > >   To: Dave Cridland <dave@xxxxxxxxxxxx>
> > >   CC: "ietf@xxxxxxxx" <ietf@xxxxxxxx>
> > >
> > >
> > > Something as old as Outlook 2003 will properly display a message that
> > > is received with a "Sender:" as "<Sender> on behalf of <From>"
> > A client as new as Mail.app on Mac OS X 10.9 does not.
> >
> > Obviously the Sender: field is not where the DMARC implementations use
> > for checking policy.
> Yoav, this is by design.
>
> There is no reliable way to determine the relationship between the Sender:field and the From: field from an authentication and authorization perspective at the domain level unless both are within the same domain space. Other than "I say so", how do we know that the Sender IS truly acting on behalf of the author in the From

Well - if the originating system were to include To: in the signature, 
and it matched Sender: that would go a long way.

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra