Re: DMARC: perspectives from a listadmin of large open-source lists

"John R Levine" <johnl@taugh.com> Tue, 08 April 2014 17:34 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10BEA1A0671 for <ietf@ietfa.amsl.com>; Tue, 8 Apr 2014 10:34:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.043
X-Spam-Level: *
X-Spam-Status: No, score=1.043 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iU_thJVlB7WF for <ietf@ietfa.amsl.com>; Tue, 8 Apr 2014 10:34:38 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) by ietfa.amsl.com (Postfix) with ESMTP id 92DCA1A0659 for <ietf@ietf.org>; Tue, 8 Apr 2014 10:34:37 -0700 (PDT)
Received: (qmail 48104 invoked from network); 8 Apr 2014 17:34:35 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=bbe7.5344332b.k1404; bh=eWEaO9rEJkwv6uJHFDRDOA6GUHWFd3jrMpT9faEsPq4=; b=EzV74tG6EWNOEWzWJIwNCiy4ZXeGxmMVbhIU0xLN/lcGqqECJYEaThd7zm1mUfDOfhSo9UiVDQeNlKBI3GQZ7ApdTPphe9dhHGfxrlkbw4B1/eYPg9NMdSs30fWy0s6hjEO4TtxiqmDwESUFwtX2RIezMaoYHV5pRmA05WDal1awlLnGAPzSsqZxfWQ2tBfEU7ysEWG/pbf9v/DoMZ6rwBwVylsX3jdaBLIOLrQj2SVtcfJpBvm75JW9OL44bpAY
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=bbe7.5344332b.k1404; bh=eWEaO9rEJkwv6uJHFDRDOA6GUHWFd3jrMpT9faEsPq4=; b=f8+27IvPkEeibOUf/CyHvzephEA51O7IQ4BhfY5peB4/FlXg/1wRTQ/hpirB4NIbRHE1Fu/5gICAbViSJZvQLmu7CNehrUSM/tKKCmbKC+YKSJKewyPHMiv5MxAuD0yeepHJiXkma+sbA8ML8NUwn/HaBRrPp5+9aB6vYfoR7RP4CbamrLymiSf5VZoNNbn0t64H7s8bE1n+GbenRh/NZKbNtot5A0pFqIV6IQNf904PTmUKqTKhbh/FjXaAFIwF
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 08 Apr 2014 17:34:35 -0000
Date: 8 Apr 2014 13:34:35 -0400
Message-ID: <alpine.BSF.2.00.1404081325130.76892@joyce.lan>
From: "John R Levine" <johnl@taugh.com>
To: "S Moonesamy" <sm+ietf@elandsys.com>
Subject: Re: DMARC: perspectives from a listadmin of large open-source lists
In-Reply-To: <6.2.5.6.2.20140408101346.0ccb5e88@resistor.net>
References: <robbat2-20140408T031810-279861577Z@orbis-terrarum.net> <alpine.BSF.2.00.1404072357400.73388@joyce.lan> <01P6EEIPML6600004W@mauve.mrochek.com> <6.2.5.6.2.20140408101346.0ccb5e88@resistor.net>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: MULTIPART/signed; protocol="application/pkcs7-signature"; micalg=sha1; BOUNDARY="3825401791-2006038437-1396978475=:76892"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/opx9xiTACtQr3rXBGSKmJ4SXv3k
Cc: IETF general list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 17:34:39 -0000

> I did a search before asking this question; I did not find any answer.  Does 
> anyone know whether the IETF adheres to BCP 167?

I've never been a big fan of RFC 6377, but this bit seems relevant since 
strict ADSP policies had pretty much the same problems as strict DMARC 
policies.

    For domains that do publish strict ADSP policies, the originating
    site SHOULD use a separate message stream (see Section 2.5), such as
    a signing and Author subdomain, for the "personal" mail -- a
    subdomain that is different from domain(s) used for other mail
    streams.  This allows each to develop an independent reputation, and
    more stringent policies (including ADSP) can be applied to the mail
    stream(s) that do not go through mailing lists or perhaps do not get
    signed at all.

As far as I know, the "participating MLM" thing has never been 
implemented, which makes the C in BCP rather suspect.  My own MLM signs 
the outgoing mail and adds an Authentication-Results: header, but largely 
by default because it's embedded in a mail system that does those things.

Just today I did modify it so that any list mail with a From: address 
@yahoo.com is re written to @yahoo.com.INVALID.  That's the least 
intrusive way I've been able to come up with to mitigate the damage. 
It's also similar to what RFC 6858 suggests for delivering EAI mail to 
systems that can't handle EAI, which is a vaguely similar problem.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.