ietf
[Top] [All Lists]

Re: Will mailing lists survive DMARC?

2014-04-29 08:29:41
On Tue, 29 Apr 2014, Dave Crocker wrote:

On 4/29/2014 6:03 AM, Mikael Abrahamsson wrote:
I quickly went through
https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text=1
which I guess is the draft we're discussing? As far as I can tell, it
doesn't "inform" about the problem DMARC causes in conjunction with
quite prevalent mailing list functionality.


Well, it does, but not in the most pedagogical fashion one might wish for. "Obscure" wouldn't be an inappropriate characterization...

  Appendix C.  DMARC XML Schema
  ...
  Descriptions of the PolicyOverrideTypes:
  ...
  mailing_list:  Local heuristics determined that the message arrived
     via a mailing list, and thus authentication of the original
     message was not expected to succeed.

I also found text in the A.3:

"A.3.  Sender Header Field

   It has been suggested in several message authentication efforts that
   the Sender header field be checked for an identifier of interest, as
   the standards indicate this as the proper way to indicate a re-
   mailing of content such as through a mailing list.  Most recently, it
   was a protocol-level option for DomainKeys, but on evolution to DKIM,
   this property was removed.

   The DMARC development team considered this and decided not to include
   support for doing so, for two primary reasons:
...
2.  Although it is certainly true that this is what Sender is for,
       its use in this way is also unreliable, making it a poor
       candidate for inclusion in the DMARC evaluation algorithm."

So... just because this is a hard problem to solve doesn't mean it's a good idea to just gloss over it and say "screw it" for mailing lists.

--
Mikael Abrahamsson    email: swmike(_at_)swm(_dot_)pp(_dot_)se