:: Re: [DNG] Again, again: DMARC is a…
Top Page
Delete this message
Reply to this message
Author: Rick Moen
Date:  
To: dng
Subject: Re: [DNG] Again, again: DMARC is a no-win problem for mailing lists (was: Can we fix this DMARC thing?)
Quoting spiralofhope (spiralofhope@???):

> If an email address successfully receives a few emails but then gets
> automatically unsubscribed later, could this be why?


That would be a possible reason (but not on this mailing list since the
implementation of DMARC migitation a bit over a year ago).

GNU Mailman records the fact of it incrementing a
subscriber's 'bounce score' (and eventually disabling subscription
delivery, and then as a later stage unsubscribing, if bounce score
remains persistently[0] high) into log file /var/log/mailman/bounce,
which is world-readable for command-line users on the Mailman server.
However, that log doesn't include the reason for the 'bounce', in part
because Mailman is a bit of a dunce about such things[1], so researching
the exact reason then requires also that a site admin look through the
logs for the MTA associated with Mailman.

> (Or would problematic settings means that no emails would ever be
> received in the first place?)


Your question's a bit vague. (a) If Mailman cannot reach a would-be
subscriber by mail, then the person will be, by definition, unable to
complete the three-way handshake process required to subscribe.

(b) As a reminder, the typical scenario you are discussing (as quoted
near the top of this post) involves adverse consequences _not_ primarily
to the subscriber whose domain has an aggressive DMARC policy, but rather
some other subscribers. Illustration:

Imagine two subscribers to Dng; call them Gmail User and Yahoo User.
One day, Yahoo User posts a valid posting to a Dng thread. Mailman
receives it, and attempts to re-mail copies out through its local MTA
to each Dng subscriber of record, including Gmail User. Because GMail
enforces at the time of receipt the declared DMARC policies of what is
asserted to be the source domain of an arriving mail, and because
yahoo.com has an r=reject DMARC policy and its declared roster of
authorised origins for yahoo.com mail doesn't include Dng's MTA host,
Gmail 55x-rejects Gmail User's copy. He/she never sees Yahoo User's
posting. Worse, Mailman takes note of the 55x rejetion, and increments
GMail User's bounce score, in effect sanctioning Gmail User for
Yahoo User's domain's (IMO) problem-causing antiforgery procedures.

After a few such incidents, Gmail User gets his/her delivery disabled
and eventually unsubscribed. Back in the latter half of 2018, this
happened a few times and I observed people complaining to Golinux,
who was in fact not in a position to read the MTA logs, hence they
were complaining to the wrong party and basically shouting at the
clouds.

(IMO, it really didn't help that a whole lot of folks here are desktop
computer users afflicted with what I call helpdesk mentality, where one
imagines problems get solved by people complaining rather than doing
relevant analysis.)


[0] There's some logic to expire out a user's bounce score after
something like a month.

[1] E.g. Mailman doesn't even try to parse 45x and 55x DSNs the outbound
MTA receives when the MTA attempts to deliver a particular subscriber's copy
of a mailing list posting. Mailman just notes in its log that a
'bounce' event occurred and increments the user's bounce score,
irrespective of what caused the non-acceptance.