RE: What I've been wondering about the DMARC problem

["MH Michael Hammer (5304)" <MHammer@ag.com>]

> -----Original Message-----
> From: Hector Santos [mailto:hsantos@isdg.net]
> Sent: Tuesday, April 15, 2014 3:48 PM
> To: MH Michael Hammer (5304); IETF Discussion
> Subject: Re: What I've been wondering about the DMARC problem
> 
> On 4/15/2014 2:16 PM, MH Michael Hammer (5304) wrote:
> >
> > Just curious, what sort of statement would you like to see? How would it
> help with vendor planning decisions?
> 
> I think the one provided here, although a link via tumblr, appears to be the
> official Yahoo position and sufficient:
> 
> http://yahoomail.tumblr.com/post/82426900353/yahoo-dmarc-policy-
> change-what-should-senders-do
> 

It sounded like you were looking for something more.

> 
> > I'm looking forward to hearing your thoughts and questions and I'm sure
> others do as well. Is this list the best place for this or is there somewhere else
> more appropriate?
> >
> 
> I don't think the IETF-LIST would be the appropriate place. I would think Dave
> and Murray would take lead here, as the current IETF "reps"
> on DMARC.
> 

If it is DMARC related then IETF-DMARC or DMARC-DISCUSS would probably be the appropriate places. If it is specific to MLM related issues and how they might be addressed, I'm not sure and would defer to others as to the best place for discussions.

> > Hector, Yahoo implemented the change a week ago Friday, not 4 months
> > ago. I'm sure they have received complaints.
> 
> This is a January 10, 2014 transaction for one of the yahoo.com subscribers to
> our support list getting a copy of a yahoo.com user mail submission:
> 

Ah, you are talking about validating inbound email, not the outbound p=reject policy. Yahoo started validating over 2 years ago as did the other DMARC participating mailbox providers. I'm aware of other mailbox providers that are validating against DMARC but I'm not aware of a list of them that is available. 

> **********************************************************
> ****************
> Wildcat! ESMTP Server v7.0.454.4
> SMTP log started at Fri, 10 Jan 2014  22:06:21 Connection Time: 20140110
> 22:06:21  cid: 00000000 tid: 144C SSL Enabled: YES Message Queue:
> d:\spool\santronics\smtp\47446W
> Destination: ##############@yahoo.com
> Mail Host IP: 98.136.216.26:25 (mta6.am0.yahoodns.net) Attempt #1
> LastAttempt: n/a
> 22:06:21.471 ** Opening Connection to host: mta6.am0.yahoodns.net ip:
> 98.136.216.26:25
> 22:06:21.668 S: 220 mta1089.mail.gq1.yahoo.com ESMTP ready
> 22:06:21.669 C: EHLO secure.winserver.com
> 22:06:21.770 S: 250-mta1089.mail.gq1.yahoo.com
> 22:06:21.770 S: 250-PIPELINING
> 22:06:21.770 S: 250-SIZE 41943040
> 22:06:21.770 S: 250-8BITMIME
> 22:06:21.770 S: 250 STARTTLS
> 22:06:21.770 C: MAIL FROM:<listadmin-winserver@winserver.com>
> 22:06:21.884 S: 250 sender <listadmin-winserver@winserver.com> ok
> 22:06:21.884 C: RCPT TO:<lonehorseman82@yahoo.com>
> 22:06:21.987 S: 250 recipient <lonehorseman82@yahoo.com> ok
> 22:06:21.987 C: DATA
> 22:06:22.087 S: 354 go ahead
> 22:06:23.179 S: 554 5.7.9 Message not accepted for policy reasons.
> See http://postmaster.yahoo.com/errors/postmaster-28.html
> 22:06:23.180 C: QUIT
> 22:06:23.180 ** Completed. Elapsed Time: 1700 msecs
> 
> Its repeated for the other three yahoo.com users during a submission and its
> recorded in the last four months of logs.  Only yesterday did a customer post
> a support message he was now seeing it his Wildcat!
> List Server setup and logs.  There might have been earlier reports but I didn't
> see them.
> 
> >> I can see additional DMARC extensions for other advancements, but the
> >> main one is about managing 3rd party authorized domain to satisfy the
> >> "signing/sent on behalf of" design need that yahoo says is required:
> 
> > On one level there already are ways for satisfying the 3rd party authorized
> domain issue. A domain could use SPF (either by specifying hosts/IPs or using
> an include in the SPF record) for a 3rd party domain. Another method would
> be to provide DKIM signing keys to the 3rd party. Yet a 3rd way is to delegate
> a subdomain so that the 3rd party can manage these things on their own.
> There are some best practice documents published at maawg.org that might
> be useful. If what you mean is a mechanism to specify random 3rd parties
> that an end user wishes to use, then no there is not a mechanism and I don't
> know of anyone who has put forth what I would consider a workable model.
> >
> 
> I have to begin reading the DMARC spec to see what are all the boundary
> conditions, but it means basically able to answer mail operation policy
> questions such as:
> 
>    o  Does the domain ever distribute mail?
>    o  Do you expect the mail to be unsigned?
>    o  Do you expect to sign all mail?
>    o  Is your domain the exclusive signer?
>    o  Are 3rd party signers allowed?
>    o  Are 3rd party signers allowed to strip your original signatures?
> 
> This is an illustration of the logical flow when SSP defined policies were used
> to answer the above questions.
> 
>    http://www.winserver.com/public/ssp/ssp.htm
> 

Don't think SSP when you look at DMARC. There are only 3 basic settings for a sender publishing a DMARC record. I don't want to be accused of shilling for DMARC here so if you have questions it is probably better for you to go to one of the DMARC related lists or contact me offline.

> >>      "Yahoo requires external email service providers, such as
> >>       those who manage distribution lists, to cease using unsigned
> >>       “sent from” mail, and switch to a more accurate “sent on
> >>       behalf of” policy."
> >>
> >> What is this so called "more accurate" method?
> >>
> >
> > Not sure exactly what he means.
> 
> The 5322.From rewrite suggestion?
> 

Possibly, I hate guessing on something like that.

Mike