Author: Rick Moen Date: To: dng Subject: Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists
Quoting Bernard Rosset via Dng (dng@???):
> On a more gneric topic, what I read about DMARC over here seems to
> be a bit unfair.
If you mean specifically my own postings on the subject, that's quite
arguably true, especially the stuff I wrote a bit over a year ago, when
I was well and truly furious about the destructive effect of strong
DMARC policies on the (many) mailing lists I administer, and trying to
help fellow listadmins understand and cope with the problem.
I'd be willing to consider offers to hire me to write utterly dispassionate
and exhaustive documentation, as well, at consulting rates, two-hour
minimum. But that would be a different need from the one I had been
(and recently, somewhat exhaustedly, continued) attempting to satisfy.
> DMARC is only there to *enforce* SPF and/or DKIM ("DomainKeys
> Identified Mail" hence not really "former" DomainKeys, just mere
> relabeling).
I'm a little unclear on what you're saying, here, and what your point
is. If you're saying DKIM is just a newer name for DomainKeys, but was
unchanged from DomainKeys, you are incorrect: Yahoo had produced a
draft called 'enhanced DomainKeys', and that was merged with a separate
Cisco effort called 'Identified Internet Mail' to produce DKIM in 2004.
Yes, DMARC is a defined superset of SPF and/or DKIM. DKIM, IIRC, had
the same destructive effects on mailing lists for the same reasons.
Saying DMARC is 'only there to enforce' it is rather missing the point,
IMO.
> The real protection mechanisms being considered/violated here are
> SPF and/or DKIM. DMARC's policy only triggers if *both* SPF & DKIM
> fail.
Your wording, here, is a bit ambiguous. If you are intending to
suggest that DMARC requires that a domain implement both SPF and DKIM,
that is not correct. OTOH, if you mean that DMARC fails only if neither
SPF or DKIM validates, then that is correct.
> Now, if the sender's domain supports DKIM, and provided the headers
> potentially important to the mailing list's piping are not provided
> & signed (Sender, List-*, Reply-To, etc.), ie if mere From, Subject
> are signed (which I believe is a common case), it is alright.
>
> Well. It is alright... provided mailing lists stop doing what they
> have been doing for ages, ie *modifying* protected content, either
> protected headers or body.
In other words, with the typical DKIM-attested set of headers and
content, mailing lists break short of major changes such as wrapping the
message, From: rewriting, or ceasing all message modifications, meaning
not just no more footers and subject prefixes, but also (IIRC) problems
with List-ID and similar headers.
More than a year ago, I could have written a comprehensive explanation
of all the gory details, but will confess I've dropped a lot of it from
memory since then.
> Hence, the real problem comes from violating DKIM... or having no
> DKIM set up.
Again, your wording is ambiguous. If you're suggesting that having no
DKIM set up at a sending domain is somehow problematic for that domain,
then that is incorrect. E.g., my linuxmafia.com domain does not have
DKIM setup (because I think that technology design was poorly written),
and I have no deliverability problems at all -- particularly because
my domain has a correct, strongly asserted SPF policy, and because I
follow reputable SMTP practices carefully and protect the reputation of
my sending IP address.
I'm not entirely sure what you mean, if you meant something else.
> DMARC + DKIM should do the trick, provided mailing lists (softwares)
> stop being intrusive.
'Stop being intrusive'? The nerve!
Also, the term 'DMARC + DKIM' doesn't actually make a lot of sense.
DMARC is a superset built atop either DKIM or SPF (or both).
> In the current state of my understanding of DMARC, SPF & DKIM, I
> have a hard time understanding flaming any of those protection
> mechanisms.
Well, I have no problem taking care of that need, in your absence.
No charge, sir.
> The only trouble I see here is that mailing lists have a long
> history of modifying email headers and/or content, and it has been
> deemed "normal" over years of doing so.
That's like saying the only trouble you see is that humans have a long
history of eating.
> Would you mind if I arbitrarily opened/modified your (private)
> postal mail or any written message from/to you?
This is an abuse of metaphor, and I'm having a difficult time believing
you aren't trolling.
Mailing lists are sophisticated remailer mechanisms. In postal mail
context, the proper metaphor would be an optional commercial service
you can send a letter to, where the letter would be photocopied and then
remailed to all of your friends. This isn't 'arbitrary'; the original
sender engages the services of the remailing mechanism. Nor is it
'private'.
When you signed up for Dng, you were aware that you were voluntarily
engaging the services of a software remailing service that would
generate slightly modified/augmented copies of your post and sending
those out to each of a list of subscribers, right? If you considered
that either 'arbitary' or 'private', then I suggest that you have badly
misunderstood the notion of a mailing list, and need to consider ceasing
to use them.
> My understanding might be incomplete. If so, please enlighten me &
> anyone interested, by all means.
Once.
If I have to do this a second time, we'll need to start talking about my
consulting rates.