>What do you think about this proposal to extend DMARC to > account for the failure case of DMARC with mailing lists: > http://www.ietf.org/mail-archive/web/dmarc/current/ > msg00167.html
I remember this thread from a year ago and that it didn't get a lot of support. I suppose an example record is the following: _dmarc.example.com "v=DMARC1; p=reject; pct=100; rua=...; ruf=...; l=yes" The idea is for mailing lists to avoid getting filtered by DMARC (since it does spoof the From but legitimately) but it needs to be thought out end-to-end. I have a couple of questions: 1. The tag value for l=no isn't required. This means "I don't participate in mailing lists and therefore you should enforce my p=reject action." But this is the same as l=dunno (empty) which is the same as today's behavior. So, you would only need l=yes. 2. How would a receiver know that the email comes from a mailing list? Would it just look for something like a List-Unsubscribe or List-Subscribe header? Or something similar? 3. Would the expected behavior be that if the email comes from a mailing list yet fails DMARC, do not enforce DMARC's p=reject action nor the p=quarantine action? 4. What about a large domain prone to spoofing? Yahoo publishes a p=reject, and plenty of its users use mailing lists. What is stopping a spammer from putting the same mailing list tags into the message and spoofing From: Yahoo? That seems like a very easy workaround for the spammer. A counter argument is to not blindly trust what appears to be a mailing list but also apply some other heuristic to it (e.g., domain or IP reputation). But if you're going to apply IP or domain reputation to suppress the DMARC action, then you don't need to pay attention to the l=yes tag at all. That is, if condition X can let you know whether or not to do p=reject, then there's no reason to do condition X and condition Y, making condition Y redundant. Right? -- Terry -----Original Message----- From: J. Gomez [mailto:[email protected]] Sent: Tuesday, May 6, 2014 2:02 PM To: Terry Zink Cc: [email protected] Subject: Re: [dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail On Saturday, May 03, 2014 12:28 AM [GMT+1=CET], Terry Zink wrote: > > > if this maillist here would change i bet it would be more > > > understandable on what not to do > > > The advice hasn't changed: don't set a DMARC policy other than > > p=none on domains used by human users. We know that some large > > domains have disregarded that advice, but it doesn't make it any > > less correct. > > I understand this position because it's a position I take many times > here at work. However, as has been pointed out to me, just because I > am correct doesn't mean that I am right, nor that I don't have a > problem to solve. > > Given that large email providers like Yahoo and AOL do publish > p=reject records, how is the rest of the email community going to > deal mailing lists and other legitimate cases that fail DMARC? It's > not enough to say "Yahoo and AOL shouldn't be doing it." That ship > has sailed. The question now is what can we do to improve user > experience? Several answers have been proposed: > > 1. Do nothing and let domains that publish p=reject live with the > consequences > 2. Don't permit domains with p=reject onto mailing lists > 3. Mailing lists should reformat the message to prevent DMARC failures > 4. Email receivers should be selective about how they enforce > p=reject - send it to Junk or even skip enforcing it from known good > emailing lists > 5. Extend DMARC so that it supports mailing lists > 6. Something else? > > These each have their pros and cons but it seems to me that working > to support p=reject with mailing lists is a net benefit to everyone. Hi, Terry. What do you think about this proposal to extend DMARC to account for the failure case of DMARC with mailing lists: http://www.ietf.org/mail-archive/web/dmarc/current/msg00167.html The proposal was dismissed by the staunch defenders of DMARC's immutability, but I would like to know your take on it, if you would be so kind to share it. The proposal was done long before YAHOO and AOL adopted p=reject. Then the common wisdom was that the deployment of DMARC would happen step by step from none to quarantine to reject even using percentages in the process. However, now the brisk reality of the world happens to be different from what was then theorized, so perhaps that proposal deserves a second chance to be considered/discussed. Regards, J. Gomez _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
