Re: DMARC: perspectives from a listadmin of large open-source lists

"John R Levine" <johnl@taugh.com> Tue, 08 April 2014 04:21 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1BD31A00D7 for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 21:21:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.542
X-Spam-Level: *
X-Spam-Status: No, score=1.542 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0HoR1_T9GTFg for <ietf@ietfa.amsl.com>; Mon, 7 Apr 2014 21:21:54 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) by ietfa.amsl.com (Postfix) with ESMTP id B2D771A00B0 for <ietf@ietf.org>; Mon, 7 Apr 2014 21:21:53 -0700 (PDT)
Received: (qmail 41172 invoked from network); 8 Apr 2014 04:21:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=a0d3.5343795b.k1404; bh=CO/YbZEYfukS7owxsbQI/KtWmlwPXE3ekZVZXp5MuZY=; b=XHKCNSn8T9CLYu5nK5ro1ESgTN1jDS2n2tOjFYXnvr64ObTcJ7xW10SXPXa4szLN6ZEvuTvxpMdkYi0NfP/Ed9SKzQbSOibRPDRYMmlBHvQNTw3FC6F56B1QauIerJoWTGyfffQ9HbBvTpqOa6MOMvWdl+w/u0EUZP2diqUFD57j30NJcsgWz4c0WgyrbEsBM4m1++rhPkIegmeMpjKLr6gcXfWOALXRUdUA4rd1lkZlxofcQ+5OwFaCYhHhs71V
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=a0d3.5343795b.k1404; bh=CO/YbZEYfukS7owxsbQI/KtWmlwPXE3ekZVZXp5MuZY=; b=TxTpfaLetIhC4reiClXsUt0NNV8nhTCsOu+tzJcFRHOf8fQFFH5nfQP8wgzptJRfwJHnFHmA4N5N2Tcfwz6rpGn149BWCrTv3fjWCFixgkkkWzF21sXpqiYrQhcwlrsOyv9I09jttwdIUCOZ7yW5TOqpE+XVsWIh0dmih0IBrA9836VjHZIzKJktdgy32d2Zc1iuVvuV3kUMiZKPhxzD4tb/MLVcDP7PZehGp6u59Ue+J/a+2PXOi1f0Xs9PPyOu
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 08 Apr 2014 04:21:47 -0000
Date: 8 Apr 2014 00:21:46 -0400
Message-ID: <alpine.BSF.2.00.1404072357400.73388@joyce.lan>
From: "John R Levine" <johnl@taugh.com>
To: "Robin H. Johnson" <robbat2@gentoo.org>
Subject: Re: DMARC: perspectives from a listadmin of large open-source lists
In-Reply-To: <robbat2-20140408T031810-279861577Z@orbis-terrarum.net>
References: <robbat2-20140408T031810-279861577Z@orbis-terrarum.net>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: MULTIPART/signed; protocol="application/pkcs7-signature"; micalg=sha1; BOUNDARY="3825401791-2096504466-1396930907=:73388"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/3UwUJEPPt3_ISgz5YtnX-NuSp1E
Cc: IETF general list <ietf@ietf.org>, zwicky@yahoo-inc.com
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 04:21:59 -0000

> differ from the envelope sender. That's why the extra DMARC header
> X-Original-Authentication-Results [1] is needed sadly :-(.

Several people have proposed that, but a few minutes' thought reveals that 
it wouldn't actually help, becuase bad guys can add fake X-O-A-R headers 
just as easily as good guys can add real ones.  You would have to track 
which forwarders are well behaved and add valid X-O-A-R headers, but if 
you can do that, you can skip the header analysis and just whitelist the 
mail from the well behaved forwarders.

Note that there are also well behaved things that don't pass DMARC and 
don't have any original authentication results to report, with the usual 
examples being mail-an-article at the NY Times and Wall Street Journal.

Tracking who is well behaved is quite hard.  You can't ask people to 
self-identify, since again, bad guys will lie.  I was under the impression 
that gmail tried to do it, but given the blizzard of bounces I've seen, 
apparently not.

> The problem described WILL vanish when all mailing list apps implement
> DMARC, but until then, it's really broken.

Mailing list apps can't "implement DMARC" other than by getting rid of 
every feature that makes lists more functional than simple forwarders. 
Given that we haven't done so for any of the previous FUSSPs that didn't 
contemplate mailing lists, because those features are useful to our users, 
it seems unlikely we'll do so now.

If receivers want to implement DMARC policy, they need to make their false 
alarm whitelist first.  This appears to be a substantial, perhaps 
insurmountable, hurdle.

> At the same time, delaying mass usage of the reject policy would limit
> damage.

Reject policy is fine for domains that don't have individual human users, 
or for companies with firm staff policies that all mail goes through the 
company mail server, and employees don't join mailing lists and the like 
using company addresses, or the company provides a separate less strictly 
managed domain for its staff mail. Strict policies will never be 
appropriate for public webmail systems where the users will use their mail 
addresses any way one can use a mail address.  Yahoo appears to understand 
most of this, viz. the different domain for Elizabeth's company mail.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.