Re: (DMARC) Why mailing lists are only sort of special

Dave Cridland <> Wed, 16 April 2014 20:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BEE041A02CF for <>; Wed, 16 Apr 2014 13:38:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.178
X-Spam-Status: No, score=-0.178 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_14=0.6, J_CHICKENPOX_16=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zYaviA2z6GLg for <>; Wed, 16 Apr 2014 13:38:30 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c01::235]) by (Postfix) with ESMTP id DDA3B1A0286 for <>; Wed, 16 Apr 2014 13:38:29 -0700 (PDT)
Received: by with SMTP id gq1so3106150obb.40 for <>; Wed, 16 Apr 2014 13:38:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=uN8scRpVelamP1G8MGECs85u6bzB+Hg/07AkZp5mCZY=; b=Hkn4NFH6PxAWiFZRSd+A8Cm9huvznG5+cCvUfHxhf9aKd7+oBGJpdXvEwMxPHW7xqg N94meYJ5gTF/oV+i1Y75gRyGqouwSBv7JwyFXxWCjRhvjvUmSacgNgup7VK/7J4zfp8i UHdLiNvF9XeAlw7C6kF/oOYBw9gPWsab4Ot6c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=uN8scRpVelamP1G8MGECs85u6bzB+Hg/07AkZp5mCZY=; b=Yh/RnyxAYPHN5nkqk1iFOioH3tI0D6sqeXdjrsRU6PTqdla7IQQrd2Y8W23NOwyJbS A4xG8jjurCmt+6v8gzZ5t9ULA3Wc6NMuqZdtTE1CV8uQ9zmroyVAgl3E49KAEYjiyore Qsk4tmzuu1MB+9jfXenoybMt+Ir1ApnL7o0JcNsXKsiyaBtu4Bi5zgFetaML6Q1XbB1f d2Q+a29fOgJ4Bo3E4c7siQirgnTEanVrgw6H2i9Rki1Qi7c2tzRzlFQXIUtdxWbQcjBU le607/20FbENTybjNK9ELFu1sH0qxf1VnMUHjzbzMMSSbMancA6o5H9xFHu3/dsblr/s sQNA==
X-Gm-Message-State: ALoCoQlup3cH+xhzQxsDZ81KlRtIGq/cWi1IeUaQcGsMOYZyRTWg1M9OR/QN4PxujCsNIs8KoHXT
MIME-Version: 1.0
X-Received: by with SMTP id wo10mr8399902oeb.9.1397680706373; Wed, 16 Apr 2014 13:38:26 -0700 (PDT)
Received: by with HTTP; Wed, 16 Apr 2014 13:38:26 -0700 (PDT)
In-Reply-To: <>
References: <> <20140414214949.32126.qmail@joyce.lan> <> <alpine.BSF.2.00.1404142150430.32657@joyce.lan> <> <alpine.BSF.2.00.1404151832460.38826@joyce.lan> <> <>
Date: Wed, 16 Apr 2014 21:38:26 +0100
Message-ID: <>
Subject: Re: (DMARC) Why mailing lists are only sort of special
From: Dave Cridland <>
To: "Murray S. Kucherawy" <>
Content-Type: multipart/alternative; boundary=047d7bd6c5e803980604f72ee6ce
Cc: John R Levine <>, "" <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Apr 2014 20:38:33 -0000

On 16 April 2014 21:01, Dave Cridland <> wrote:

> Unfortunately, the only option I thought was possibly available isn't
> permissible by the specification - therefore, the only solution involves
> alterations to the deployed base, which has been ruled impossible for over
> a year now.
Oh, I tell a lie, it's just not where I expected, and not quite as nice as
I'd hoped.

So I think what needs to happen is that a new policy of "sender-reject" or
something is allowed, which is essentially deferring to the sender, so
receivers would check:

1) The sender exists and is valid.

2) The mail has a valid DKIM signature from the sender and otherwise
complies with the published DMARC policy.

3) Any such policy is treated as p=reject

That is, if I have a mailing list at "".org", and a
p=forward-or-reject then my recipients would check for a as
well, but ignore any p=, and treat as p=reject.

This means that mailing lists (and other forwarding cases) are enforced
into having DMARC records in order to forward DMARC originating messages,
which seems reasonable, and the Sender addresses must also be relatively
sensible, which they normally are already.

In fact, this case handles even people using with their Yahoo
address sending messages to mailing lists, I think.

Note that the problem is that existing DMARC deployments which don't know
about sender-reject will either treat is as p=none - if there's a rua
listed - or "take no action", and I've not looked into this enough to
decide what that means.

So for Yahoo, should they implement this change, would effectively take a
backwards step to p=none until the DMARC deployments caught up, which would
be a little confusing to mailing list operators, but at least safe.

The alternative would be to add a new tag indicating this kind of deferral
to the sender; unknown tags are ignored, so this would behave like a reject
until software was updated. The problem with that is that it'd be very
unpredictable whether messages would pass or not; for mailing lists, which
typically drop subscribers after a certain number of failed deliveries, I
think it'd remain a huge problem.

In either case, there would be a knock-on to UAs, which would need to show
in the UI that the message had been forwarded - gmail does this with it's
"via", for example, so I don't think this is onerous.

I may be missing something.