Re: DMARC: perspectives from a listadmin of large open-source lists

Miles Fidelman <> Mon, 14 April 2014 02:57 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id C15941A0319 for <>; Sun, 13 Apr 2014 19:57:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xlh1u1uVbFXq for <>; Sun, 13 Apr 2014 19:57:39 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6B8711A0315 for <>; Sun, 13 Apr 2014 19:57:39 -0700 (PDT)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id D2EC2CC0A4 for <>; Sun, 13 Apr 2014 22:57:36 -0400 (EDT)
X-Virus-Scanned: by amavisd-new-2.6.2 (20081215) (Debian) at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with LMTP id 6iJmfJU3lK9Q for <>; Sun, 13 Apr 2014 22:57:28 -0400 (EDT)
Received: from new-host.home ( []) by (Postfix) with ESMTPSA id 2E6E9CC0A1 for <>; Sun, 13 Apr 2014 22:57:28 -0400 (EDT)
Message-ID: <>
Date: Sun, 13 Apr 2014 22:57:27 -0400
From: Miles Fidelman <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25
MIME-Version: 1.0
Subject: Re: DMARC: perspectives from a listadmin of large open-source lists
References: <20140414024956.26078.qmail@joyce.lan>
In-Reply-To: <20140414024956.26078.qmail@joyce.lan>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 14 Apr 2014 02:57:41 -0000

John Levine wrote:
>> Meanwhile, I'm still not proposing that we train users, or even
>> anti-spam software to "recognize" or "validate" mailing list addresses.
>> What I'm proposing is a way to send mail from a list with From:
>> @domain-of-list.tld so that it can pass DMARC/SPF/DKIM, and allow the
>> left side of the @ sign to identify the actual sender of the message.
> Yes, that's the 1980s percent hack.  Do you really think it's a good
> idea to reinvent it to get around the defects of the FUSSP du jour?
> I agree that it's not plausible to train people to recognize mailing
> list addresses.  But what you're proposing is to train people to be
> phished, by telling them that a rewritten address from something that
> looks sort of like a mailing list is equivalent to whatever the
> original address was.  Given that DMARC is supposed to be an
> anti-phishing tool, this completely defeats the point.
> R's,
> John

It strikes me that the real way to address some of these issues is to 
add a few new headers to SMTP - to get rid of the overloading of the 
From: and Reply-to: headers associated with mailing lists.  An SMTP 
extension that would absorb some of the well-known and well-understood 
functions of list software.

I have to think a bit about what the full list of headers might be, but 
I'd start with:
From: <original author>
List-From: <mailing list>
Reply-To-List: <set by list manager>
DKIM signature stuff applied to original message
DKIM signature applied by list server

That might be a start toward a real solution that solves both sets of 

Then again - it's late, I'm in the middle doing my taxes - this might 
not make any sense at all.

Miles Fidelman

In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra