On Jun 26, 2014, at 6:13 PM, Chris Meidinger <[email protected]> wrote:
> Folks, > > I've been thinking about this for a while, as I know many of you have. > Obviously things have to change to some degree in order for domain owners and > large operators to protect their email channels with DMARC and also allow > list operators to remail their messages. There are a couple of thoughts I > want to share with you and get some feedback on in terms of the minimum > viable change set. > > DMARC and traditional mailing lists don't play nice for two reasons: the > subject is modified to add a prefix, which invalidates the DKIM signature, > and the body is modified to add a footer, which again invalidates the DKIM > signature. I find the former relatively critical - I get value from the > modified subjects on all of my listmail. I do not personally find the latter > particularly valuable, the footer is not useful to me personally. Regardless > of whether a footer is desirable, it is easily configurable and list > operators that want to avoid breaking DKIM/failing DMARC could omit it - > particularly if that were all they had to do. > > As far as the subject, I have been wondering whether not signing the Subject: > header would be an option for large ISP's and large DMARC senders. It would > increase the threat space by allowing replay of legitimate messages with > weaponized subjects, but a) that's what everyone was able to do in the > pre-DMARC days anyway and b) I'm not certain how real the threat is of > someone clicking a link in the subject, where HTML etc are not viable to > disguise a URL and the body is not modifiable to induce a click on the link > in the subject header. > > So two questions to the group: > > 1: Regardless of whether it has simply always been that way, could list > operators forego modifying message bodies by adding footers? > > 2: How real is the threat space of a modified subject? Would it be acceptable > to allow bizarre subjects attached to otherwise intact and signed messages to > pass DKIM and DMARC in the name of interoperability? > > Looking forward to your thoughts, Dear Chris, We have been ask to focus on Charter related issues. The subject can include URLs that get translated into potentially malicious links. There is still the Intuit issue where a Sender signs the message. All of these issues and more eventually relate to exceptions that a DMARC domain should be able to accommodate... Regards, Douglas Otis _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
