On May 26, 2013, at 10:11 PM, "John R Levine" <[email protected]> wrote:
>> Near as I can tell, the only way I can employ a DMARC p=reject for my >> domains and still get my messages delivered to inboxes at gmail and Yahoo is >> to: ... > > We've discussed about a million times why DMARC policies are not appropriate > for domains with users who send mail through mailing lists, Are you intending to inform all implementers and domain owners of this limitation with admonitions to search the list archives? Stating this clearly in Section 10 of the Draft, under Domain Owner Actions would be good. As well as noting it clearly in the Limitations section of the draft which is currently missing. The Senders section of the FAQ would be another great place. Don't beat around that bush like Draft section 10.2. Just come right out and say that email lists and mail forwards are unusable with DMARC. > send mail from their gmail accounts, and do all of the other stuff that live > users do. > > You're suggesting a complex, fragile kludge that by design would put a > gigantic replay security hole in DMARC. Can you explain in detail why the > rest of the world should do that, rather than you simply publishing an > appropriate DMARC record? Sorry, I missed the URL to the "Build an appropriate DMARC record" form that has the distilled wisdom of someone that has read every post to this list. Especially the official DMARC record creator tool with the "Do you have users that subscribe to email lists?" radio button that disables the rest of the form when I choose Yes. > Also, if you believe that it is very important for people to be able to > identify mail you send from your servers, why aren't you signing it with > S/MIME? You can do that right now, and S/MIME survives complex forwarding > including mailing lists pretty well. Enough of the straw men. This thread originated because of assumptions of knowledge made on the part of the draft authors. When I sent emails from my DMARC enabled tnpi.net domain to this email list, I got back reports from google and yahoo that they're blocking them. 513 google.com tnpi.net 2013-05-22 17:00:00 <snip> | -- 30 2001:1890:123a::1:1e reject fail fail mail.ietf.org forwarded mailing_list | -- 1 2607:f0d0:2101:bb::2 reject fail fail ericindustries.net forwarded mailing_list | -- 1 113.56.245.52 reject fail fail 113.56.arpa.hb.cnc.cn | -- 1 209.85.217.176 reject fail fail mail-lb0-f176.google.com forwarded mailing_list | -- 1 208.75.177.101 none pass pass mail.theartfarm.com <snip> | -- 1 2607:f8b0:4001:c03::234 reject fail fail mail-ie0-x234.google.com forwarded mailing_list | -- 113 208.69.40.157 reject fail fail medusa.blackops.org forwarded mailing_list It seems apparent that google detected that medusa is a list server, but they still applied my reject policy. When the receiver whitelists a list server, the results look like this: 519 163.com tnpi.net 2013-05-23 09:00:00 | -- 1 208.69.40.157 none fail fail mailing_list( forwarded by a white-listed mailing list ) medusa.blackops.org Had there been a warning label somewhere that DMARC + mailing list = BROKEN EMAIL, I'd have subscribed to this list with a different address. Now I'm exploring ways to work around the problem, so that I can still prevent phish from being sent from my domain. Adding email lists to my SPF records may be one workaround. Roland suggested not signing the Subject and body with DKIM, which is potentially another. I'm also curious if the DMARC incurred deliverability failures will cause list users to inadvertently get unsubscribed. That would be an interesting side effect. Matt _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
