ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: (DMARC) Why mailing lists are only sort of special

2014-04-17 10:31:22
from [Miles Fidelman] [Permanent Link] 
MH Michael Hammer (5304) wrote:



-----Original Message-----
From: ietf [mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Yoav Nir
Sent: Thursday, April 17, 2014 9:27 AM
To: mrex(_at_)sap(_dot_)com
Cc: ietf(_at_)ietf(_dot_)org
Subject: Re: (DMARC) Why mailing lists are only sort of special


On Apr 17, 2014, at 4:11 PM, Martin Rex <mrex(_at_)sap(_dot_)com> wrote:


Yoav Nir wrote:

On Apr 17, 2014, at 9:35 AM, Dave Cridland <dave(_at_)cridland(_dot_)net> wrote:

Right now, my MUA treats this as a message "From John R Levine
<johnl(_at_)taugh(_dot_)com>". This means that any policy on the message
origination comes from looking solely at the taugh.com domain. We'll
pretend it has a DMARC policy. Herein lies the Yahoo/DMARC issue,
because unless your policy essentially stipulates that the IETF is
allowed to spoof you, we're stuck.

Then perhaps this is what needs to change. John R Levine did not send
you a message. He sent a message to the list. It is the list software
that sent you a message. So perhaps the From field should have been
?From: IETF Mailing list on behalf of John R Levine <ietf(_at_)ietf(_dot_)org>?.

But that is EXACTLY what the IETF mailing list exploder *IS* doing
exactly as it has been specified for ages:

https://tools.ietf.org/html/rfc822#section-4.4.2
https://tools.ietf.org/html/rfc822#appendix-A.2

https://tools.ietf.org/html/rfc5322#section-3.6.2

            The "From:" field specifies the author(s) of the message,
   that is, the mailbox(es) of the person(s) or system(s) responsible
   for the writing of the message.  The "Sender:" field specifies the
   mailbox of the agent responsible for the actual transmission of the
   message.

  From: Yoav Nir <ynir(_dot_)ietf(_at_)gmail(_dot_)com>
  Subject: Re: (DMARC) Why mailing lists are only sort of special
  Errors-To: ietf-bounces(_at_)ietf(_dot_)org
  Sender: ietf <ietf-bounces(_at_)ietf(_dot_)org>
  Date: Thu, 17 Apr 2014 13:50:30 +0300
  Message-ID: <B3467912-BDCA-4AE8-9939-60013DA99267(_at_)gmail(_dot_)com>
  To: Dave Cridland <dave(_at_)cridland(_dot_)net>
  CC: "ietf(_at_)ietf(_dot_)org" <ietf(_at_)ietf(_dot_)org>


Something as old as Outlook 2003 will properly display a message that
is received with a "Sender:" as "<Sender> on behalf of <From>"

A client as new as Mail.app on Mac OS X 10.9 does not.

Obviously the Sender: field is not where the DMARC implementations use
for checking policy.


Yoav, this is by design.

There is no reliable way to determine the relationship between the Sender:field and the 
From: field from an authentication and authorization perspective at the domain level 
unless both are within the same domain space. Other than "I say so", how do we 
know that the Sender IS truly acting on behalf of the author in the From
Well - if the originating system were to include To: in the signature, and it matched Sender: that would go a long way. 

Miles Fidelman

--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  We need to add the ability to upload attachments to the IPR Filings., TGLASSEY
Next by Date:  Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists, ned+ietf
Previous by Thread:  RE: (DMARC) Why mailing lists are only sort of special, MH Michael Hammer (5304)
Next by Thread:  Re: (DMARC) Why mailing lists are only sort of special, Dave Cridland
Indexes:  [Date] [Thread] [Top] [All Lists]