RE: DMARC and yahoo

Christian Huitema <> Mon, 21 April 2014 01:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0FBCA1A00ED for <>; Sun, 20 Apr 2014 18:00:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iB_JthaGRjLv for <>; Sun, 20 Apr 2014 18:00:23 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A21181A00FE for <>; Sun, 20 Apr 2014 18:00:23 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.921.12; Mon, 21 Apr 2014 01:00:18 +0000
Received: from ([]) by ([]) with mapi id 15.00.0921.000; Mon, 21 Apr 2014 01:00:18 +0000
From: Christian Huitema <>
To: Doug Barton <>, "" <>
Subject: RE: DMARC and yahoo
Thread-Topic: DMARC and yahoo
Date: Mon, 21 Apr 2014 01:00:17 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <4948F093F369F051CAF0B810@[]> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-forefront-prvs: 0188D66E61
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(189002)(199002)(51704005)(4396001)(99286001)(99396002)(19580405001)(19580395003)(83322001)(50986999)(76176999)(54356999)(77096999)(80976001)(77982001)(92566001)(85852003)(20776003)(79102001)(66066001)(80022001)(74502001)(74662001)(31966008)(86362001)(15202345003)(86612001)(74316001)(81342001)(81542001)(46102001)(33646001)(76576001)(15975445006)(76482001)(83072002)(2656002)(87936001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB422;; FPR:FCDCF5D9.F1A9C05.2B559DCB.4AF5BD61.20290; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: does not designate permitted sender hosts)
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 21 Apr 2014 01:00:28 -0000

> The issue with and DMARC is not the users' ability 
> to receive mail, it's their ability to send mail to the list with From: 
> * and have it be received by list subscribers who implement 
> strict DMARC policies which honor Yahoo!'s p=reject.
> It's not clear how setting the users to digest mode helps 
> this situation at all.

It probably does not. Trying analyze the various positions with a cool head, the obvious conclusion is that hard problems don't have easy answers.

The current mailing list practice has the mailing list as sender, and the original message composer described in the From field. The receiver sees something like:

   Sender: ietf <> 
   From: Christian Huitema <> 

Of course, that particular construct could easily be abused. A phishing message does not differ much from a mailing list message:

   Sender: postmaster <> 
   From: Christian Huitema <> 

I understand that the DMARC "alignment" policy is meant to protect against that by requesting that sender domain and from field match. The problem is that a mailing list would then have to invent a new from field, letting the recipient see something like:

   From: Christian Huitema <>
   Reply-To: Christian Huitema <>

The obvious issue is that this particular construct is also quite friendly to phishing. The phishing message would look like:

   From: Christian Huitema <>
   Reply-To: Christian Huitema <>

If we teach users to ignore the bizarre email address for the mail list messages, we are also teaching them to ignore the bizarre email address in the phishing messages. I doubt that this was the intent of the DMARC authors. 

-- Christian Huitema

(I wrote a longer version of this email at