Re: What I've been wondering about the DMARC problem

Sabahattin Gucukoglu <> Fri, 18 April 2014 18:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CF42E1A03C9 for <>; Fri, 18 Apr 2014 11:33:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.601
X-Spam-Status: No, score=-3.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RsGn3-veD5qO for <>; Fri, 18 Apr 2014 11:33:48 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id F38A91A0220 for <>; Fri, 18 Apr 2014 11:33:47 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7BIT
Content-type: text/plain; CHARSET=US-ASCII
Received: from [] ( []) by (Oracle Communications Messaging Server 7u4-27.08( 64bit (built Aug 22 2013)) with ESMTPSA id <> for; Fri, 18 Apr 2014 18:33:43 +0000 (GMT)
Subject: Re: What I've been wondering about the DMARC problem
From: Sabahattin Gucukoglu <>
In-reply-to: <>
Date: Fri, 18 Apr 2014 19:33:39 +0100
Message-id: <>
References: <> <> <> <> <> <> <> <> <> <> <>
To: Theodore Ts'o <>
X-Mailer: Apple Mail (2.1510)
X-CLX-Spam: false
X-CLX-Score: 1011
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.96, 1.0.14, 0.0.0000 definitions=2014-04-18_01:2014-04-18, 2014-04-18, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1404180313
Cc: Jim Fenton <>, IETF discussion list <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Apr 2014 18:33:50 -0000

On 17 Apr 2014, at 21:53, Theodore Ts'o <> wrote:
> Suppose we made the mailing list software take the contents of the
> From field, and moved it to something like "X-Originally-From: ", and
> changed the From field to be "".org".  That would be what the
> DMARC people would want, right?

Probably.  I mean, the alternative is to upgrade DMARC so it recognises the Originally-From field as From when it is present, but that would actually require maintaining compatibility with decades-old software which didn't know that From was the arbiter of all truth. :)

> Except then, a couple of years later, because users might actually
> want to find the message that was written by "Brian Carpenter", or
> "Sabahattin Gucukoglu", and not from "".org", MUA's might
> start using the Originally-From field in the summary field, and start
> emphasizing the "Originally-From" from field in the UI.  At which
> point, the spammer/scammer/whatever could start forging the the
> "Originally-From" field, and then Lo!  There will be a DMARC II,
> demanding that "Originally-From" field be aligned with the From field,
> and we're right back to where we started.
> It was the same argument about why a DKIM or DMARC couldn't just
> verify the Sender field, and call it a day.  The problem is that the
> From field is what people pay attention to.


Of course, if we're starting just now, there's something we could try differently: write it into Internet law that "NO MUA SHALL PROMOTE FOO TO THE DEFAULT HEADER DISPLAY", where "foo" is whatever we come up with.  Then MUA software, when presented with a known-good and known-aligned authentication results for From: could start displaying the green bar or whatever nonsense they come up with to signal that all is good, just so long as the part to the right of the @ is the domain the user thought the mail was really from.  However the MUA could continue to provide conveniences such as address autocomplete, address book memorisation, search or reply that were all using our new foo.

> And this is true of whatever solution we want to better support
> mailing lists.  Suppose the answer is to rewrite the from field to
> something like this:
> From:
> Or this:
> From: (Originally from Brian E Carpenter:
> It doesn't matter.  Eventually, the UA's will start emphasizing and
> parsing out the original From field information, because that's what
> people will want to be automatically added to their address book, and
> not, and that's what they will want to see in their
> e-mail summary.  And then the DMARC folk will say, "Oh, Noes!
> Spammers and scammers and bears, oh my!  They are using this loophole
> to fool the naive user."  We must have DMARC II... and DMARC
> III.... and DMARC IV.... and it will never end.

Indeed.  Of course, none of that helps the mailing lists of yesteryear, I mean today.  Right now, we're all screwed without one of these hacks. :(