Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists

Hector Santos <> Sun, 13 April 2014 04:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 72DE31A0261 for <>; Sat, 12 Apr 2014 21:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -98.702
X-Spam-Status: No, score=-98.702 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_16=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xA4-unExsTsA for <>; Sat, 12 Apr 2014 21:37:16 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 41F2D1A025B for <>; Sat, 12 Apr 2014 21:37:15 -0700 (PDT)
DKIM-Signature: v=1;; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1920; t=1397363825; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=RFtch09TUr0bzvdnzBjm+skNMSE=; b=LPtC+iEhuT7JPZb/lQjt bpWQEkJyfec6BKUU7bdLJ+jXeh2frovst+5bjM/9Q5qPGF+46ZfxbwbCiFgu+eSH X47n4UPPxTNGqZRKZZbFo1EGyDVGBzCuLuqqU52d3FoOVrHSpigsvBRNPeKhPHa5 xTt3BsfcVNb79tAwxgcjHQA=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Sun, 13 Apr 2014 00:37:05 -0400
Authentication-Results:; dkim=pass header.s=tms1; adsp=pass policy=all;
Received: from ( []) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 472404240.9010.3640; Sun, 13 Apr 2014 00:37:04 -0400
DKIM-Signature: v=1;; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1920; t=1397363761; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=vLGBLb3 kBulm1JTkU4I8v+3yhy+eh8Qj6Epn05rzWq8=; b=kS/gO5Hr8e3lOEzFYn1fivs DBJemYMXmINCkJop5bzKfFrTaYiArxy6gdmnEUza1uNWn/9rL9X4sB9abd0YISu+ IVWFufRZSSBLXeXnX5Esl5eMc9L5BNqGKnd4SVx/+0Alyvif0lLB4cV5k/UWUIiI J9IaT+bxnxxjc9E+DS4Y=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Sun, 13 Apr 2014 00:36:01 -0400
Received: from [] ([]) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 491937328.9.8064; Sun, 13 Apr 2014 00:36:00 -0400
Message-ID: <>
Date: Sun, 13 Apr 2014 00:37:07 -0400
From: Hector Santos <>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Brian E Carpenter <>, Miles Fidelman <>
Subject: Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 13 Apr 2014 04:37:18 -0000

On 4/12/2014 6:23 PM, Brian E Carpenter wrote:
> Hi,
> In the DMARC draft, I noticed this:
>>   Descriptions of the PolicyOverrideTypes:
> ...
>>     mailing_list:  Local heuristics determined that the message arrived
>>        via a mailing list, and thus authentication of the original
>>        message was not expected to succeed.
> Could somebody explain what that means and whether it can be used to
> mitigate the current issue? Or are substantial changes needed
> in the fundamentals of DMARC?
> I assume the authors will be adding a discussion of this issue
> to the draft.
> Regards
>     Brian


The overall problem is that the middle ware, mailing list servers 
(MLS) need to change in order to support any DKIM optional add-on 
security policy layer.

If the MLS is going to break the integrity and resign the mail, it 
could not do this blindly without considering the submitting author 
domain security policy.

First it was SSP, then ADSP, now DMARC.  Same problem. Unless the 
middle ware supports this policy layer, they risk causing distribution 
problems at the ADSP and/or DMARC, policy-compliant downlinks.   This 
was one of the cited interop problem reasons why ADSP was made historic.

So its really a matter of getting wider support at the Mailing List 
Software or once again, like it was done for ADSP, promoting the idea 
of not supporting the p=reject feature of DMARC.

Keep in mind, this is really only a problem because a "public" domain, for some odd reason, use a DMARC p=reject and there 
is apparently mail distribution down links that support it.  The list 
servers blindly resigned the mail and there is no 3rd party support 
concept in place to handle it.

But it would be precisely what another domain like would 
want with its restrictive ADSP discardable and DMARC p=reject policies 
being used in a public mailing list.