ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: (DMARC) Why mailing lists are only sort of special

2014-04-16 15:38:51
from [Dave Cridland] [Permanent Link] 
On 16 April 2014 21:01, Dave Cridland <dave(_at_)cridland(_dot_)net> wrote:


Unfortunately, the only option I thought was possibly available isn't
permissible by the specification - therefore, the only solution involves
alterations to the deployed base, which has been ruled impossible for over
a year now.



Oh, I tell a lie, it's just not where I expected, and not quite as nice as
I'd hoped.

So I think what needs to happen is that a new policy of "sender-reject" or
something is allowed, which is essentially deferring to the sender, so
receivers would check:

1) The sender exists and is valid.

2) The mail has a valid DKIM signature from the sender and otherwise
complies with the published DMARC policy.

3) Any such policy is treated as p=reject

That is, if I have a mailing list at "ietf(_at_)ietf(_dot_)org", and a
p=forward-or-reject then my recipients would check for a _dmarc.ietf.org as
well, but ignore any p=, and treat as p=reject.

This means that mailing lists (and other forwarding cases) are enforced
into having DMARC records in order to forward DMARC originating messages,
which seems reasonable, and the Sender addresses must also be relatively
sensible, which they normally are already.

In fact, this case handles even people using gmail.com with their Yahoo
address sending messages to mailing lists, I think.

Note that the problem is that existing DMARC deployments which don't know
about sender-reject will either treat is as p=none - if there's a rua
listed - or "take no action", and I've not looked into this enough to
decide what that means.

So for Yahoo, should they implement this change, would effectively take a
backwards step to p=none until the DMARC deployments caught up, which would
be a little confusing to mailing list operators, but at least safe.

The alternative would be to add a new tag indicating this kind of deferral
to the sender; unknown tags are ignored, so this would behave like a reject
until software was updated. The problem with that is that it'd be very
unpredictable whether messages would pass or not; for mailing lists, which
typically drop subscribers after a certain number of failed deliveries, I
think it'd remain a huge problem.

In either case, there would be a knock-on to UAs, which would need to show
in the UI that the message had been forwarded - gmail does this with it's
"via", for example, so I don't think this is onerous.

I may be missing something.

Dave.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: What I've been wondering about the DMARC problem, Brian E Carpenter
Next by Date:  RE: Let's talk (was: DMARC: perspectives from a listadmin of large open-source lists), MH Michael Hammer (5304)
Previous by Thread:  Re: (DMARC) Why mailing lists are only sort of special, Dave Cridland
Next by Thread:  Re: (DMARC) Why mailing lists are only sort of special, John R Levine
Indexes:  [Date] [Thread] [Top] [All Lists]