:: Re: [DNG] Again, again: DMARC is a …
Góra strony
Delete this message
Reply to this message
Autor: Bernard Rosset
Data:  
Dla: dng
Temat: Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
On 29/12/2019 06:30, Rick Moen wrote:
> Quoting Mark Rousell (mark.rousell@???):
>> That said, the mail list *does* seem to work as Steve wants.
>
> It really doesn't.


On 28/12/2019 14:16, Mark Rousell wrote:
> At least it does for my mail client (Thunderbird).


It definitely seems to be MUA-specific. The last bit from Mark is
important: the Thunderbird MUA seems to always show consistent behaviour
of its "Reply" & "Reply List" buttons.

The only thing which changes for this MUA is the set of displayed
headers above the message.
Non-DMARC-protected domains show From, Subject & To, while
DMARC-protected ones show From, Subject, Reply-To & To.

I concur with Mark on the fact this email client seems to do the job, at
least on that front.

-----

On a more gneric topic, what I read about DMARC over here seems to be a
bit unfair.

DMARC is only there to *enforce* SPF and/or DKIM ("DomainKeys Identified
Mail" hence not really "former" DomainKeys, just mere relabeling).
The real protection mechanisms being considered/violated here are SPF
and/or DKIM. DMARC's policy only triggers if *both* SPF & DKIM fail.

SPF is a mechanism to ensure the envelope matches the headers & sender
machine is authorized to emit for a domain (hence protects against
impersonation).

DKIM protects against message tempering by signing body & some headers
of the emitted email.

From-munging, used to circumvent SPF, actually means
faking/modifying/impersonating the original email source.
It also happens to circumvent DKIM... and DMARC as a whole, since the
emitting domain would now be the list's one, *not* the sender's.

This From-munging is a perfect man-in-the-middle example, actually
pulling the plug on all headers checks at destination.


Now, if the sender's domain supports DKIM, and provided the headers
potentially important to the mailing list's piping are not provided &
signed (Sender, List-*, Reply-To, etc.), ie if mere From, Subject are
signed (which I believe is a common case), it is alright.

Well. It is alright... provided mailing lists stop doing what they have
been doing for ages, ie *modifying* protected content, either protected
headers or body.

That means no From header modification (no From-munging).
That means no Subject header modification (no added prefix and rather
let destination users route incoming email based on headers rather than
Subject prefix).
That means no body modification (and rather leverage List-* headers &
let MUA augment received messages based on those).


As stated before, a DMARC policy fails if *both* SPF & DKIM checks fail
or if one fail and the other is non-existent.
Hence, the real problem comes from violating DKIM... or having no DKIM
set up.
DMARC + DKIM should do the trick, provided mailing lists (softwares)
stop being intrusive.

In the current state of my understanding of DMARC, SPF & DKIM, I have a
hard time understanding flaming any of those protection mechanisms.
The only trouble I see here is that mailing lists have a long history of
modifying email headers and/or content, and it has been deemed "normal"
over years of doing so.
Would you mind if I arbitrarily opened/modified your (private) postal
mail or any written message from/to you?

My understanding might be incomplete. If so, please enlighten me &
anyone interested, by all means.

Cheers,
Bernard Rosset
https://rosset.net/