Re: DMARC: perspectives from a listadmin of large open-source lists

S Moonesamy <> Tue, 08 April 2014 19:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 49FEC1A04B8 for <>; Tue, 8 Apr 2014 12:29:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.272
X-Spam-Status: No, score=-2.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id boL4D5yLRXp0 for <>; Tue, 8 Apr 2014 12:29:06 -0700 (PDT)
Received: from ( [IPv6:2001:470:f329:1::1]) by (Postfix) with ESMTP id C908D1A023B for <>; Tue, 8 Apr 2014 12:29:06 -0700 (PDT)
Received: from ([]) (authenticated bits=0) by (8.14.5/8.14.5) with ESMTP id s38JSsAr026935 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 8 Apr 2014 12:29:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail2010; t=1396985345; bh=LaiKApddjJQ82dfwyU36hlvf9gGbGjFDrMaNSGJiRZY=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=l5X4/uAjGFsSaEJ2ds6G70AXbM4nvnuUx4sjk6ab70/eWVCCxhvK5IpqAwbY8MH9D dfotVnEvrvrM5HrX4w+4maRQJm4GTkbT7gQVuqLgNFJ97kJQs5IEFU6UNnVSHanhFe lNV2cIgofGH0JvNgCrWzlu2GeA88JRFMf55yh+Os=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1396985345;; bh=LaiKApddjJQ82dfwyU36hlvf9gGbGjFDrMaNSGJiRZY=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=C6g2SkSyQF70MZsG/qAQCYhr1LZolgAVe06G6NoehwM8Ndx+Jsj9TxstShrSAorMi 0ST2vmf+Z7yvu3GOYCFqSPyuWIkeDEz+yIdAKXsoX66D7RF4ToN2g9N0P+KZfO9U6Q 2ctvRy1aniU0zuGQTtUxuwCZC0YGHgwrQM3K0cMc=
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Tue, 08 Apr 2014 11:55:58 -0700
To: "John R Levine" <>
From: S Moonesamy <>
Subject: Re: DMARC: perspectives from a listadmin of large open-source lists
In-Reply-To: <alpine.BSF.2.00.1404081325130.76892@joyce.lan>
References: <> <alpine.BSF.2.00.1404072357400.73388@joyce.lan> <> <> <alpine.BSF.2.00.1404081325130.76892@joyce.lan>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Apr 2014 19:29:11 -0000

Hi John,
At 10:34 08-04-2014, John R Levine wrote:
>I've never been a big fan of RFC 6377, but this bit seems relevant 
>since strict ADSP policies had pretty much the same problems as 
>strict DMARC policies.

Strict ADSP policies do cause problems.

>    For domains that do publish strict ADSP policies, the originating
>    site SHOULD use a separate message stream (see Section 2.5), such as
>    a signing and Author subdomain, for the "personal" mail -- a
>    subdomain that is different from domain(s) used for other mail
>    streams.  This allows each to develop an independent reputation, and
>    more stringent policies (including ADSP) can be applied to the mail
>    stream(s) that do not go through mailing lists or perhaps do not get
>    signed at all.
>As far as I know, the "participating MLM" thing has never been 
>implemented, which makes the C in BCP rather suspect.  My own MLM 
>signs the outgoing mail and adds an Authentication-Results: header, 
>but largely by default because it's embedded in a mail system that 
>does those things.

There was a message stating that the IETF implemented support for 
).  Given that there is an existing BCP about DKIM and mailing lists 
it might be assumed that the IETF is following it.  There is a 
recommendation in the BCP to reject some types of messages.

My mailing list implementation does not break DKIM signatures.  I 
would not describe it as a "participating MLM" as the postmaster does 
not follow some of the recommendations in that BCP. :-)

>Just today I did modify it so that any list mail with a From: 
>address is re written to  That's the 
>least intrusive way I've been able to come up with to mitigate the 
>damage. It's also similar to what RFC 6858 suggests for delivering 
>EAI mail to systems that can't handle EAI, which is a vaguely similar problem.

I found some other domains which implemented DMARC as described at  I 
suggest taking that into account if you haven't already done it.

S. Moonesamy