:: Re: [DNG] Excessive bounces
Top Page
Delete this message
Reply to this message
Author: Rick Moen
Date:  
To: dng
Subject: Re: [DNG] Excessive bounces
Quoting Daniel Abrecht (dng@???):

> I'm sorry, I'm using DMARC, and I didn't get the DMARC report about the
> bounced mails, probably because I forgot a DMARC DNS entry for the
> report receiving mail address. I have changed my DMARC policy from
> reject to quarantine for now.


It would be excellent if you could provide any DMARC reports you get to
the Dng listadmins. Thank you.

Your point is well taken that DMARC and mailing lists can coexist (I've
always concurred with that). It's just difficult, and creates adverse
consequences. (As background for this, it's useful to know that DMARC
is a composite and extension of SPF and DKIM.)

As part of the process, the domain's outgoing mail gets certain headers
and body text cryptographically signed and attested to (the DKIM =
DomainKeys Identified Mail part of the standard). For such mail to
successfully transit a mailing list without breaking validation, the
signed text and headers must be completely unchanged. This is a very
difficult constraint for MLM software to meet, as occasionally something
gets inserted or changed in a header or elsewhere during normal MLM
processing, and in particular the To: header by design is supposed to
be set upon posting retransmission to the address of each subscriber.

To the best of my recollection (and I'm presently busy and cannot
double-check all of this), some subset of the full SMTP headers are
included in the DKIM attestation. I can't remember which, nor whether
the DKIM-issuing operator can decide which. I vaguely recall that the
extra headers MLMs intentionally add, the MLM footer, the MLM
modification to the Subject header (like adding [DNG]), and more are all
somewhat problematic for DKIM validation.

There are a maddeningly large and diverse number of ways to deal with
the problem, and one can spend a lot of time reading about it. E.g.:
https://dmarc.org/supplemental/mailman-project-mlm-dmarc-reqs.html
http://www.spamresource.com/2014/04/run-email-discussion-list-heres-how-to.html
https://dmarc.org/wiki/FAQ#I_operate_a_mailing_list_and_I_want_to_interoperate_with_DMARC.2C_what_should_I_do.3F


Just a point:

> I use DMARC and believe it to be necessary because it allows me to:
> 1) Make sure nobody can use my E-Mail address to impersonate me or send
> spam


SPF alone _can_ do exactly that without also needing DKIM/DMARC. (So,
sufficient is correct, but necessary is not quite correct.)

> 2) I will be notified if anyone attempts to do so


SPF alone can prevent it from being possible, hence you don't need to be
notified. (This of course assumes that receiving domains check SPF for
received mail. Not all do, but more do than check DMARC.)

> 3) The recipient can check if the message content was changed


gpg signing alone can do that.

If your SMTP message content is being changed, though, you actually have
a lot bigger problems.

> 1) Provide an SPF record. This mailing list doesn't seam to have one


The mailing list isn't an orignator. It's the originating domains that
ought (to the extent they wish to do so) to have SPF records.


> 2) Don't change anything from the message below the DKIM headers, add
> the other headers before the DKIM signature instead.


To the best of my recollection (I could be misremembering), this is
easier said than done.

Anyway, thank you for your substantive help to the Devuan Project.