Two comments:
1) While I don't particular like changing of the From field (it will
promote, invites fakes actors, more overhead), this specific mapping
can work, IFF, the failure of such proper mapping (as you described)
is an rejectable (negatively handled) event.
For example, if the rewrite does not have from "@dmarc.ietf.org"
domain, is the message then rejectable, classified as a negative, when
the X-Original-From-Header domain has a p=reject policy? If the
Mapping exist, can we technically assume the there is p=reject involved?
If Policy(RFC5322.X-Original-From.Domain) == REJECT
and
RFC5322.From.Domain != "dmarc.ietf.org" then
begin
return failed message
end
What if the "X-Original-From" header does not exist but the From has
the "@dmarc.ietf.org" domain?
2) Suggestion: Restrictive DMARC Domains that accept this new IETF
practice SHOULD add a DMARC policy tag such as:
rewrite=allowed
The whole point of DKIM and its policy layers is to honor it. By
encouraging rewrites, there is no point in receivers checking it if
there is no "payoff" in checking it. If changed, I suppose by adding
a new rule, the receivers SHOULD have more information to properly
handle it.
--
HLS
On 5/11/2018 8:00 AM, Alexey Melnikov wrote:
Hi,
Many of you have seen several long discussions thread about DMARC and how it affects use of IETF/IRTF mailing lists.
After testing DMARC workaround code written by Henrik Levkowetz on several high volume IETF and IRTF mailing lists (e.g. CFRG, WebRTC, DMARC, QUIC), the tools team and the IESG decided that Henrik's code should be deployed for all IETF and IRTF mailing lists. In particular the workaround allows people from DMARC p=reject domains to participate in IETF mailing lists, as well as to avoid the problem of recipients being unsubscribed from mailing lists. These 2 issues were the main reasons for developing the DMARC workaround code..
The workaround will be deployed today, May 11th.
Below are some technical details on how the email address rewriting workaround is going to work:
Emails from domains that don't have a p=reject DMARC setting are not going to be affected in any way.
For emails from p=reject domains:
- The From header field of such emails will be rewritten to be under @dmarc.ietf.org domain (which will have a p=none policy). For example, "alexey@xxxxxxxxxxx" email address would become "alexey=40example.com@xxxxxxxxxxxxxx". The original From header field will be preserved in the X-Original-From header field, which can be used for automatic message processing by Sieve and Mail User Agents.
Note that the mapping is reversible, so it is possible to send replies or new messages to an original sender by sending them to the corresponding mapped @dmarc.ietf.org email address.
Best Regards,
Alexey
