Folks, I've been thinking about this for a while, as I know many of you have. Obviously things have to change to some degree in order for domain owners and large operators to protect their email channels with DMARC and also allow list operators to remail their messages. There are a couple of thoughts I want to share with you and get some feedback on in terms of the minimum viable change set.
DMARC and traditional mailing lists don't play nice for two reasons: the subject is modified to add a prefix, which invalidates the DKIM signature, and the body is modified to add a footer, which again invalidates the DKIM signature. I find the former relatively critical - I get value from the modified subjects on all of my listmail. I do not personally find the latter particularly valuable, the footer is not useful to me personally. Regardless of whether a footer is desirable, it is easily configurable and list operators that want to avoid breaking DKIM/failing DMARC could omit it - particularly if that were all they had to do. As far as the subject, I have been wondering whether not signing the Subject: header would be an option for large ISP's and large DMARC senders. It would increase the threat space by allowing replay of legitimate messages with weaponized subjects, but a) that's what everyone was able to do in the pre-DMARC days anyway and b) I'm not certain how real the threat is of someone clicking a link in the subject, where HTML etc are not viable to disguise a URL and the body is not modifiable to induce a click on the link in the subject header. So two questions to the group: 1: Regardless of whether it has simply always been that way, could list operators forego modifying message bodies by adding footers? 2: How real is the threat space of a modified subject? Would it be acceptable to allow bizarre subjects attached to otherwise intact and signed messages to pass DKIM and DMARC in the name of interoperability? Looking forward to your thoughts, Chris _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
