Do we actually want to do anything about DMARC?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>I agree strongly with you: the IETF needs to do something in some direction.
>
>That something could be to properly reject email with a DMARC policy that
>does not permit forwarding.  That would piss off an awful lot of IETF
>participants, but it would be simple, since it requires no protocol
>changes, just social changes.

Hmmn, the one approach that is unambiguously worse than doing nothing,
since it would confirm every worst fear that we're more interested in
playing purity games than in getting work done.

If we actually want to do something, we should decide what to do and do it.

It's not like there's any mystery about what the options are.  This
page in the old ASRG wiki lists them all and hasn't changed in ages:

 http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail

The options built into mailman 2 are:

 * moderate or reject DMARC'ed submissions

 * rewrite the From: line with the list address

 * wrap messages sort of like one-message digests

Personally, I think those are all pretty bad, so we should do
something else.  (If I had to pick one, I'd pick the last one since
it's the easiest to undo on the way in.)

Anything else would require some development.  I am one of the few
IETF participants who has actually written anti-DMARC code for mailing
lists, so I have some idea of how much work it is.

My preferred approach until ARC is usable is to rewrite the From:
address to a legible forwarding address.  The IETF already handles a
bazillion forwarding addresses for I-D and RFC authors, so I'd think
it wouldn't be terribly hard to adapt that.  You don't have to change
any mailman code; you can do everything in a shim between the list
manager and the outgoing postfix submission program.

My form is marissa@xxxxxxxxxxxxxxxxxxxx,* but if wildcard MX records
are scary, it could be marissa-yahoo.com@xxxxxxxxxxxx.  Having done
this before, I know it's not terribly hard, and I'd be happy to help
make it work.

R's,
John

* - yes, dmarc.fail is a real domain.  If the IETF asks nicely, I'd be
happy to give you dmarc.wtf.




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]