Re: What I've been wondering about the DMARC problem

Hector Santos <> Tue, 15 April 2014 19:48 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 237301A06C4 for <>; Tue, 15 Apr 2014 12:48:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.103
X-Spam-Status: No, score=-100.103 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iX2J7OGzwepB for <>; Tue, 15 Apr 2014 12:48:33 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CD75D1A0186 for <>; Tue, 15 Apr 2014 12:48:32 -0700 (PDT)
DKIM-Signature: v=1;; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4449; t=1397591306; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=NUlSgojd0W1bmDjVcNlunH3lZNA=; b=VBoX9NOwhE06y0q9L3Tt 4gXqDnJ4rOVWepwwlqk2LoTxsMSAHS/kD/kjgjKYEUgEKdGTwz5YvQ0qIoZrENzg W0utgC3hXQvjzbL2eRcA0lqMQ0Nio0epLyV+UHn65E+HxtcEONP0KTd2hCNPZrFZ kM3Ibjiv85zrHLnO6rnxWTA=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Tue, 15 Apr 2014 15:48:26 -0400
Authentication-Results:; dkim=pass header.s=tms1; adsp=pass policy=all;
Received: from ( []) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 699882339.3.2304; Tue, 15 Apr 2014 15:48:25 -0400
DKIM-Signature: v=1;; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4449; t=1397591236; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=/ZySL0k 1Lt5s3aYXLdyIdXoVrUeC7vxUOR+mFJU4AKE=; b=1gILSAd9m75TwKTWQ+ic7KT sR8E2PyV7S3jz1AvdJWUUsXCtzmIjli2q+vTcuvb3oZoLVa7DDE/g6BHFMqMM5Ia /s24GJXJrSE2ql3A9jw3juvY5SxRS9t2lRLgn6M/FaIB/SYAD9PKTx1sihKtoBRI jsF4u7SzrTN+NZPa0WcY=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Tue, 15 Apr 2014 15:47:16 -0400
Received: from [] ([]) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 719412109.9.9460; Tue, 15 Apr 2014 15:47:15 -0400
Message-ID: <>
Date: Tue, 15 Apr 2014 15:48:21 -0400
From: Hector Santos <>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "MH Michael Hammer (5304)" <>, IETF Discussion <>
Subject: Re: What I've been wondering about the DMARC problem
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Apr 2014 19:48:39 -0000

On 4/15/2014 2:16 PM, MH Michael Hammer (5304) wrote:
> Just curious, what sort of statement would you like to see? How would it help with vendor planning decisions?

I think the one provided here, although a link via tumblr, appears to 
be the official Yahoo position and sufficient:

> I'm looking forward to hearing your thoughts and questions and I'm sure others do as well. Is this list the best place for this or is there somewhere else more appropriate?

I don't think the IETF-LIST would be the appropriate place. I would 
think Dave and Murray would take lead here, as the current IETF "reps" 

> Hector, Yahoo implemented the change a week ago Friday,
> not 4 months ago. I'm sure they have received complaints.

This is a January 10, 2014 transaction for one of the 
subscribers to our support list getting a copy of a user 
mail submission:

Wildcat! ESMTP Server v7.0.454.4
SMTP log started at Fri, 10 Jan 2014  22:06:21
Connection Time: 20140110 22:06:21  cid: 00000000 tid: 144C
SSL Enabled: YES
Message Queue: d:\spool\santronics\smtp\47446W
Mail Host IP: (
Attempt #1 LastAttempt: n/a
22:06:21.471 ** Opening Connection to host: ip:
22:06:21.668 S: 220 ESMTP ready
22:06:21.669 C: EHLO
22:06:21.770 S:
22:06:21.770 S: 250-PIPELINING
22:06:21.770 S: 250-SIZE 41943040
22:06:21.770 S: 250-8BITMIME
22:06:21.770 S: 250 STARTTLS
22:06:21.770 C: MAIL FROM:<>
22:06:21.884 S: 250 sender <> ok
22:06:21.884 C: RCPT TO:<>
22:06:21.987 S: 250 recipient <> ok
22:06:21.987 C: DATA
22:06:22.087 S: 354 go ahead
22:06:23.179 S: 554 5.7.9 Message not accepted for policy reasons. 
22:06:23.180 C: QUIT
22:06:23.180 ** Completed. Elapsed Time: 1700 msecs

Its repeated for the other three users during a submission 
and its recorded in the last four months of logs.  Only yesterday did 
a customer post a support message he was now seeing it his Wildcat! 
List Server setup and logs.  There might have been earlier reports but 
I didn't see them.

>> I can see additional DMARC extensions for other advancements, but the
>> main one is about managing 3rd party authorized domain to satisfy the
>> "signing/sent on behalf of" design need that yahoo says is required:

> On one level there already are ways for satisfying the 3rd party authorized domain issue. A domain could use SPF (either by specifying hosts/IPs or using an include in the SPF record) for a 3rd party domain. Another method would be to provide DKIM signing keys to the 3rd party. Yet a 3rd way is to delegate a subdomain so that the 3rd party can manage these things on their own. There are some best practice documents published at that might be useful. If what you mean is a mechanism to specify random 3rd parties that an end user wishes to use, then no there is not a mechanism and I don't know of anyone who has put forth what I would consider a workable model.

I have to begin reading the DMARC spec to see what are all the 
boundary conditions, but it means basically able to answer mail 
operation policy questions such as:

   o  Does the domain ever distribute mail?
   o  Do you expect the mail to be unsigned?
   o  Do you expect to sign all mail?
   o  Is your domain the exclusive signer?
   o  Are 3rd party signers allowed?
   o  Are 3rd party signers allowed to strip your original signatures?

This is an illustration of the logical flow when SSP defined policies 
were used to answer the above questions.

>>      "Yahoo requires external email service providers, such as
>>       those who manage distribution lists, to cease using unsigned
>>       “sent from” mail, and switch to a more accurate “sent on
>>       behalf of” policy."
>> What is this so called "more accurate" method?
> Not sure exactly what he means.

The 5322.From rewrite suggestion?