Re: DMARC and yahoo

Theodore Ts'o <> Wed, 16 April 2014 02:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2A30F1A0009 for <>; Tue, 15 Apr 2014 19:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.173
X-Spam-Status: No, score=-2.173 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KY4d4PpmB0MH for <>; Tue, 15 Apr 2014 19:38:19 -0700 (PDT)
Received: from ( [IPv6:2600:3c02::f03c:91ff:fe96:be03]) by (Postfix) with ESMTP id 7010B1A0011 for <>; Tue, 15 Apr 2014 19:38:19 -0700 (PDT)
Received: from root ( by with local-esmtp (Exim 4.80) (envelope-from <>) id 1WaFjq-0004H4-7n; Wed, 16 Apr 2014 02:38:14 +0000
Received: by (Postfix, from userid 15806) id 5A399580893; Tue, 15 Apr 2014 22:38:13 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=ef5046eb; t=1397615893; bh=I2IqAYlgIC9a8RZpI00rvlYt92W6gdo6X3Y0y/ejQ54=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=mVazR9XUSg7P273/akL7Y5d6vRUnNbBiQzSjKBhzJbFu9Jc0yNKjlecwQnXrDnomy P2LW/YTaew5xtOLO3SfW4DmX1hQGca+a9qmyKBnEbLzqR+cjzNoYhy7RRhK0dcmqcK pjfYOsBgjV63klmHIN1P51IGLhN0Z1mthbwkt8kk=
Date: Tue, 15 Apr 2014 22:38:13 -0400
From: Theodore Ts'o <>
To: Michael Richardson <>
Subject: Re: DMARC and yahoo
Message-ID: <>
References: <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Apr 2014 02:38:22 -0000

On Tue, Apr 15, 2014 at 10:23:22PM -0400, Michael Richardson wrote:
> So, as a WG chair, a person known to me just tried to post to the list
> From a brand new mail account.  They aren't subscribed with that
> address.  I would normally just approve, and add them...
> It seems to me that I must now actually reject, because it would affect other
> subscribers.
> I'm now thinking that we need to remove all the addresses from
> posting to ietf mailing lists.

So on my mailman configuration (which I believe is the default), if receives 5 hard fail bounces she will get
automatically suspended from the mailing list.  So a single e-mail
from a address won't cause damage, and if seven days go by
without any further bounce messages, the "bounce counter" gets reset
to zero.  The problem comes if you have many e-mail messages from users (which according to yahoo and the DMARC cheerleaders,
shouldn't happen happen, because mailing list traffic is
"insignificant" :-).

So this is what I've done on my church mailman setup.  First of all,
I've disabled bounce processing, so even if a posting slips
by, it won't do any damage.  (It does mean more bounce mail will end
up going to the list-owner address, which I'll then have to manually
deal with, but as a short-term hack, I'm willing to live with it).
Secondly, I've taken all of the users, and set the
moderation bit, so if they do send e-mail, it will be held for

I can then manually cut and paste their e-mail and send it to them on
their behalf.  Unfortunately, about 25% of my church's governing board
is using Yahoo, and so this is something I was willing to do as a
short-term remediation, since I didn't want to just bounce their
e-mail or let their e-mail cause other Vestry members to be removed
from the mailing list.

In the long-term, I'm going to try to convince some of them to move to
another mail provider, or at least use another mail provider for
church business.  I'll also try to see if I can get a patch to mailman
so it will do the "" -> ""
from header rewrite.  But that's not something I can do on short
notice, since this is a rather busy week for me.

I don't know what the secretariat should do.  My short-term
remediations aren't very scalable, so what works for a small church
probably wouldn't work for the entire IETF.

What a mess.

							- Ted