Re: DMARC methods in mailman --- [LEDE-DEV] DMARC related mass bounces / disabled subscriptions (fwd) Jo-Philipp Wich: [LEDE-DEV] DMARC related mass bounces / disabled subscriptions

Theodore Ts'o <> Sat, 17 December 2016 15:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AEDA312947D for <>; Sat, 17 Dec 2016 07:15:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5
X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A671z6N02AvD for <>; Sat, 17 Dec 2016 07:15:00 -0800 (PST)
Received: from ( [IPv6:2600:3c02::f03c:91ff:fe96:be03]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 61C1B1293DB for <>; Sat, 17 Dec 2016 07:15:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=ef5046eb; h=In-Reply-To:Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=i8j8kRIONjGQkAQUthFV7gsuHbW48JX+Nx5WEqYFrWs=; b=mi++/P3lHEYIiX+I2mC7cHMpXoNec/hJzWnvGNlNX2OPW4DZHMdkzLWMfO+M3DiAaNtfPy8VF5hCSZguR0QcrB0rXQ81a//CGyBEtc86fPlIWMHUja1AKL7C3xgFUDrlUgPSQmqYjfnFLaEdBO+WLolUSNahH7CQW5VeCtzRlYA=;
Received: from root ( by with local-esmtp (Exim 4.84_2) (envelope-from <>) id 1cIGhN-0005TO-Vu; Sat, 17 Dec 2016 15:14:58 +0000
Received: by (Postfix, from userid 15806) id 5E289C00665; Sat, 17 Dec 2016 10:14:51 -0500 (EST)
Date: Sat, 17 Dec 2016 10:14:51 -0500
From: Theodore Ts'o <>
To: Yoav Nir <>
Subject: Re: DMARC methods in mailman --- [LEDE-DEV] DMARC related mass bounces / disabled subscriptions (fwd) Jo-Philipp Wich: [LEDE-DEV] DMARC related mass bounces / disabled subscriptions
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: NeoMutt/20161126 (1.7.1)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
Cc:, IETF Disgust List <>
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 17 Dec 2016 15:15:02 -0000

On Sat, Dec 17, 2016 at 03:20:17PM +0200, Yoav Nir wrote:
> It’s hard to move the pain in a predictable way. If I send you an
> email message and it’s not delivered or gets mangled or goes in your
> spam folder, who feels the pain? That depends on which of us needs
> the email more.

The primary problem is that DMARC is fundamentally flawed, and was not
enacted using a standards process that respected all of the
stakeholders.  As a result, it fundamentally becomes a matter of power

If there are a bunch of people who need to participate in a particular
mailing list --- say, IETF mailing list or the Linux Kernel
development lists --- more than they need to stick with a particular
mail provider, it becomes possible to say to them, "you want to
participate in our community"?  Change mail providers.

In the cases where a mailing list community badly needs the Yahoo
users, Yahoo can dictate to the mailing list --- change your mailing
list software and inflict pain all off your mailing list users, or you
don't get access to our e-mail user community.

> The group you want to feel the pain are the administrators who add
> DMARC records, but other than spamming them with error reports,
> there’s not much we can do. I don’t think the administrators at
> Yahoo care too much whether their users are able to use IETF mailing
> lists or not.
> As a proxy we can “punish" those senders who have a DMARC record for their domain. 
> If we do nothing, their messages sometimes get lost. They have real
> problems participating effectively in the IETF unless they switch to
> using gmail or hotmail accounts like many of us have already
> done. But that gives us pain as well because we’re missing messages
> as long as they keep using their own accounts.

Yeah, it's the "sometimes mail gets lost" problem which is the main
issue.  So it might actually be better to have the mailing list
software refuse to accept a mailing list posting from a domain with a
DMARC record, and it can be bounced back to the sender immediately
with a "sorry, try again using some e-mail address that does not have
DMARC support".

But again, doing this fundamentally is a game of power politics ---
just as DMARC being inflicted on the entire e-mail ecosystem was a
matter of power politics.


					- Ted

> If we apply the mitigations only to such accounts, we solve the
> bounce issue, but then depending on the solutions we poison some of
> the other participants’ email addresses, or we make the UI show
> weird unhelpful things. Seems like everybody else gets the pain.