ietf
[Top] [All Lists]

Re: DMARC and ietf.org

2016-07-20 02:48:13
On 20/07/2016 03:34, Dave Crocker wrote:
On 7/19/2016 5:00 PM, Russ Housley wrote:
Outgoing Mailman email still has the problem.  Mailman has an option we can 
enable to force DMARC-spoofing sender rewriting of
all outgoing Mailman email.  If we enable that option, the From: field 
rewriting and could be disruptive in unknown ways.

We know that outgoing alias email still has the problem.  The Secretariat is 
did some experiments with some additional headers
(Resent-*) to alias mail.  They were not able to determine whether this 
headers helped destination servers or not.


The major issue is for mail sent through a mailing list, from authors whose 
From: domain has a DMARC policy calling for dire
action (reject or quarantine) if DMARC does not validate at the final 
recipient's side.

To overcome this, the ad hoc convention for mailing lists is to rewrite the 
From: header field, using an address belonging to
the mailing list -- ie, no longer using the author's address -- and modifying 
the Display (friendly) string to /add/ something
like "- via <listname>".  In addition the Reply-to: header field is set to be 
the original author's address, so that direct
replies from a recipient will go back to the proper place.

Can mailman do that *selectively*, i.e. only for sending domains that publish
a reject or quarantine dmarc policy?

If so, I think we have little alternative than to switch this on at some
point in the next few months. (And the equivalent for the aliases.)

For me, that point would arrive on the day that gmail changes its behaviour
to obey the reject policy. At the moment, gmail treats reject as quarantine,
which means that I have to fish stuff out of spam sometimes. If that changes
to "reject means reject", I will have to rush around finding another email
address to use for IETF purposes, unless sendmail does the rewrite.

So we need a definite decision whether the IETF (and IRTF) mailman will
be changed to do the rewrite.

Could we do an experiment with the rewrite on a couple of mailing lists?
Soon?

    Brian


When organized by author address, this means that an actual author's mail is 
listed differently depending upon whether their
messages are direct to the recipient, versus whether they went through a 
mailing list.  It likely also means differential
listing when sorted on the Display string...

The modified display string will now have the extra visual cruft and there is 
no empirical basis for justifying that cruft, in
terms of user behavior or any other safety and security.  That is, it's an 
entirely logical modification, but there is no basis
for believing that it is useful. (This is an unfortunate fact of usability 
life.)

There is an effort (ARC) to develop a capability that might let DMARC-related 
messages survive transit of a mailing list, but
that effort is still nascent.


d/

<Prev in Thread] Current Thread [Next in Thread>