ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [dmarc-ietf] IETF Mailing Lists and DMARC

2016-11-04 07:22:08
from [Hector Santos] [Permanent Link] 
On 11/2/2016 6:19 PM, Brian E Carpenter wrote:


I think Michael Richardson made a very valid point. If our mailing
list software detects a sender whose domain has p=reject, we *know*
that the forwarded message will fail DMARC validation. So there's a
strong case for rejecting the message immediately, so that the sender
can be told about the problem and can choose a different sending address.


I had it in my 2006 DSAP proposal for MLM guidelines:

  http://tools.ietf.org/html/draft-santos-dkim-dsap-00#section-3.3
The term DMARC can be swapped in the section since its really about a general DKIM+POLICY and it doesn't matter if it was SSP, ADSP, DSAP or DMARC: 

   3.3.  Mailing List Servers

   Mailing List Servers (MLS) applications who are compliant with DKIM
   and DMARC operations, SHOULD adhere to the following guidelines:

   Subscription Controls

      MLS subscription processes should perform a DMARC check to
      determine if a subscribing email domain DMARC policy is restrictive
      in regards to mail integrity changes or 3rd party signatures.  The
      MLS SHOULD only allow original domain policies who allow 3rd party
      signatures.

   Message Content Integrity Change

      List Servers which will alter the message content SHOULD only do
      so for original domains with optional DMARC signing practices and
      it should remove the original signature if present.  If the List
      Server is not going to alter the message, it SHOULD NOT remove the
      signature, if present.

Wow! 10 years and we still having this issue! Incredible. :(

But I did add the subscription controls for our ML software.


Presumably, we'd only need to do this until ARC is deployable.


Can ARC resolve the downlink problem for the non-ARC compliant receivers?
I've always said that the MLM needs to "look up" the practices of the Author Domain. What is its expectation? Intentions?
If the MLM expects the receivers to do DMARC lookups, why shouldn't the MLM do the same prior to accepting a list submission or subscriber? The MLM can also check/detect DMARC related SMTP error responses and minimize the erroneous automatic removals from list. All this requires MLM software change. 


--
HLS
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Weekly posting summary for ietf(_at_)ietf(_dot_)org, narten
Next by Date:  Re: Options for temporary operational solution to DMARC problem, Andrew G. Malis
Previous by Thread:  Re: [dmarc-ietf] IETF Mailing Lists and DMARC, Franck Martin
Next by Thread:  Identification of an email author (was - Re: [dmarc-ietf] IETF Mailing Lists and DMARC), Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]