ietf
[Top] [All Lists]

Re: What I've been wondering about the DMARC problem

2014-04-15 14:49:00
On 4/15/2014 2:16 PM, MH Michael Hammer (5304) wrote:

Just curious, what sort of statement would you like to see? How would it help 
with vendor planning decisions?

I think the one provided here, although a link via tumblr, appears to be the official Yahoo position and sufficient:

http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-change-what-should-senders-do


I'm looking forward to hearing your thoughts and questions and I'm sure others 
do as well. Is this list the best place for this or is there somewhere else 
more appropriate?


I don't think the IETF-LIST would be the appropriate place. I would think Dave and Murray would take lead here, as the current IETF "reps" on DMARC.

Hector, Yahoo implemented the change a week ago Friday,
not 4 months ago. I'm sure they have received complaints.

This is a January 10, 2014 transaction for one of the yahoo.com subscribers to our support list getting a copy of a yahoo.com user mail submission:

**************************************************************************
Wildcat! ESMTP Server v7.0.454.4
SMTP log started at Fri, 10 Jan 2014  22:06:21
Connection Time: 20140110 22:06:21  cid: 00000000 tid: 144C
SSL Enabled: YES
Message Queue: d:\spool\santronics\smtp\47446W
Destination: ##############@yahoo.com
Mail Host IP: 98.136.216.26:25 (mta6.am0.yahoodns.net)
Attempt #1 LastAttempt: n/a
22:06:21.471 ** Opening Connection to host: mta6.am0.yahoodns.net ip: 98.136.216.26:25
22:06:21.668 S: 220 mta1089.mail.gq1.yahoo.com ESMTP ready
22:06:21.669 C: EHLO secure.winserver.com
22:06:21.770 S: 250-mta1089.mail.gq1.yahoo.com
22:06:21.770 S: 250-PIPELINING
22:06:21.770 S: 250-SIZE 41943040
22:06:21.770 S: 250-8BITMIME
22:06:21.770 S: 250 STARTTLS
22:06:21.770 C: MAIL FROM:<listadmin-winserver(_at_)winserver(_dot_)com>
22:06:21.884 S: 250 sender <listadmin-winserver(_at_)winserver(_dot_)com> ok
22:06:21.884 C: RCPT TO:<lonehorseman82(_at_)yahoo(_dot_)com>
22:06:21.987 S: 250 recipient <lonehorseman82(_at_)yahoo(_dot_)com> ok
22:06:21.987 C: DATA
22:06:22.087 S: 354 go ahead
22:06:23.179 S: 554 5.7.9 Message not accepted for policy reasons. See http://postmaster.yahoo.com/errors/postmaster-28.html
22:06:23.180 C: QUIT
22:06:23.180 ** Completed. Elapsed Time: 1700 msecs

Its repeated for the other three yahoo.com users during a submission and its recorded in the last four months of logs. Only yesterday did a customer post a support message he was now seeing it his Wildcat! List Server setup and logs. There might have been earlier reports but I didn't see them.

I can see additional DMARC extensions for other advancements, but the
main one is about managing 3rd party authorized domain to satisfy the
"signing/sent on behalf of" design need that yahoo says is required:

On one level there already are ways for satisfying the 3rd party authorized 
domain issue. A domain could use SPF (either by specifying hosts/IPs or using 
an include in the SPF record) for a 3rd party domain. Another method would be 
to provide DKIM signing keys to the 3rd party. Yet a 3rd way is to delegate a 
subdomain so that the 3rd party can manage these things on their own. There are 
some best practice documents published at maawg.org that might be useful. If 
what you mean is a mechanism to specify random 3rd parties that an end user 
wishes to use, then no there is not a mechanism and I don't know of anyone who 
has put forth what I would consider a workable model.


I have to begin reading the DMARC spec to see what are all the boundary conditions, but it means basically able to answer mail operation policy questions such as:

  o  Does the domain ever distribute mail?
  o  Do you expect the mail to be unsigned?
  o  Do you expect to sign all mail?
  o  Is your domain the exclusive signer?
  o  Are 3rd party signers allowed?
  o  Are 3rd party signers allowed to strip your original signatures?

This is an illustration of the logical flow when SSP defined policies were used to answer the above questions.

  http://www.winserver.com/public/ssp/ssp.htm

     "Yahoo requires external email service providers, such as
      those who manage distribution lists, to cease using unsigned
      “sent from” mail, and switch to a more accurate “sent on
      behalf of” policy."

What is this so called "more accurate" method?


Not sure exactly what he means.

The 5322.From rewrite suggestion?

--
HLS