Re: (DMARC) Why mailing lists are only sort of special

Dave Cridland <> Thu, 17 April 2014 06:35 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D813D1A0492 for <>; Wed, 16 Apr 2014 23:35:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Wmx893FaIXTR for <>; Wed, 16 Apr 2014 23:35:33 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c01::232]) by (Postfix) with ESMTP id 9F5B01A006D for <>; Wed, 16 Apr 2014 23:35:33 -0700 (PDT)
Received: by with SMTP id wn1so21571obc.37 for <>; Wed, 16 Apr 2014 23:35:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=i0+/2gn+06ogmXcGQLaHixSOo5YsLewtQgxNIgRSv8U=; b=WzYDPUwo5dXG/BKZka7IHbt6VhdMH3JeJ6ikvN6yoPAqFiTd5KXoAoXRTAQ44XmVpF W9NDPq+d2SOWuep5CIIMN0IXbjxEll8poUZlomCY8+q8csBYm/xqGlx14e1sAAwNhTZF 7ONJCxOaFOs/WwTskTWTVReobKiiPxRhyHl3M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=i0+/2gn+06ogmXcGQLaHixSOo5YsLewtQgxNIgRSv8U=; b=ZCYX2JMyCaSAOpeRIMJMnXiooENwQi7HGE91K1jlWmLFDaatcouBJEyKhIRZsNz6lY A2hk34+TDIBn3XwC1vMfYVx2ddE75aN9gg3cv5SDfS4lnAQ2Lt5kcNgyWaG+TlWhRcEQ LFdu5tqLxLwKKnLt1Rs7DYckFhfQqmjypQ7ItNmWGAf9mlN5mLH0s/gU+Cqx2+EzFZfl 8e+miuoWB4UagHi8+dWdNANVkzJyMNaQBlI7UEN0/6G2wSfg5zZqWh037G6B9KEmId6F ZYgrMHfQgdyzXztpILhvnrikwXPwCCj+lGRioSW2rrTfcHZbT4CeemAYsDEvDwNLHyah rnHw==
X-Gm-Message-State: ALoCoQlmUFa23sd2QJXLblZqVgMEjM3D0U4SpdZW/bljGSCIcqsXKio0qq452y2qnb8A8a7EqXcV
MIME-Version: 1.0
X-Received: by with SMTP id z6mr10422943oej.22.1397716530190; Wed, 16 Apr 2014 23:35:30 -0700 (PDT)
Received: by with HTTP; Wed, 16 Apr 2014 23:35:30 -0700 (PDT)
In-Reply-To: <alpine.BSF.2.00.1404161654430.2065@joyce.lan>
References: <> <20140414214949.32126.qmail@joyce.lan> <> <alpine.BSF.2.00.1404142150430.32657@joyce.lan> <> <alpine.BSF.2.00.1404151832460.38826@joyce.lan> <> <> <> <alpine.BSF.2.00.1404161654430.2065@joyce.lan>
Date: Thu, 17 Apr 2014 07:35:30 +0100
Message-ID: <>
Subject: Re: (DMARC) Why mailing lists are only sort of special
From: Dave Cridland <>
To: John R Levine <>
Content-Type: multipart/alternative; boundary=089e013c6856477fb004f7373de5
Cc: "" <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Apr 2014 06:35:38 -0000

On 16 April 2014 21:57, John R Levine <> wrote:

> This means that mailing lists (and other forwarding cases) are enforced
>> into having DMARC records in order to forward DMARC originating messages,
>> which seems reasonable, and the Sender addresses must also be relatively
>> sensible, which they normally are already.
>  I may be missing something.
> How do I distinguish the nice mailing lists at from random evil
> spammer domains sending spam with List-ID headers?
> Every proposal I've seen like this ends up tripping over the fact that
> there is no technical way to distinguish between mail from real mailing
> lists and spam that looks like it's from mailing lists.  Hence you need a
> whitelist for the real mail, at which point all of the mechanism beyond the
> key for the whitelist (probably a DKIM signature) is superfluous.
There's no more need for whitelist here than on DMARC mail as things stand,
of course, but it does mean that senders need tracking as well as authors,
and senders need to be explicit and reliable. I'd assume reputation
services (of which whitelists are just an extreme case) would be in play

Let's consider the message to which I am replying.

Right now, my MUA treats this as a message "From John R Levine <>"t;". This means that any policy on the message origination
comes from looking solely at the domain. We'll pretend it has a
DMARC policy. Herein lies the Yahoo/DMARC issue, because unless your policy
essentially stipulates that the IETF is allowed to spoof you, we're stuck.

What I'm suggesting is not that, but that my MUA notes that the poloicy of allows different senders, and switches to considering the sender
domain - in this case, Any p or sp tag in the policy is
ignored, however, and treated as p=reject/sp=reject; in addition since has a DMARC policy, it must also have one to forward taugh.comemail.

My spam filtering now has two cases to consider: Firstly, it needs to
decide whether is behaving legitimately, and secondly whether I
want to read mail from you.

You can put it another way, too - my proposal is essentially saying that
the From dictates failure policy, reporting, and handling, but the Sender
is used for enforcement.

One additional thing is required from MUAs, though, which is to ensure the
UI clearly shows that the message is not sent by you (directly, at least);
this allows a human reader to easily see it's a mailing list message - or
for that matter easily see it's from an unexpected sender.