DMARC-4-ML: Can the IETF call a demonstration?

Alessandro Vesely <> Wed, 14 May 2014 11:52 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 541401A0054 for <>; Wed, 14 May 2014 04:52:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.155
X-Spam-Status: No, score=0.155 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_GIF_UNO_LARGO=2.176, DC_IMAGE_SPAM_HTML=0.81, DC_IMAGE_SPAM_TEXT=0.242, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IA5Us1hb5kXK for <>; Wed, 14 May 2014 04:52:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 551AE1A0012 for <>; Wed, 14 May 2014 04:52:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=beta; t=1400068321; bh=gYXvBuP0KBU24zR7/LHZA/hZcF8yLAXZJ/dH4edrDjY=; l=27783; h=Date:From:To; b=cNfvw4Cs2HV4NCdk+pOChh8u7tXEaN41+HXWptBiRHAARGhX1dPSLeqHgifzmkMHE JYz+klgmLRqqGsRRaHMsTveQxpX8ofU/eR8MKE+yDddoqQWUsG/QNOuPKNqRc8NbAu YaqDGXxbG3v9b01cZiPwnbgKw5AODMo9FQ+JMmRQ=
Authentication-Results:; auth=pass (details omitted)
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by with ESMTPA; Wed, 14 May 2014 13:52:01 +0200 id 00000000005DC035.00000000537358E1.00002233
Message-ID: <>
Date: Wed, 14 May 2014 13:52:01 +0200
From: Alessandro Vesely <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.4.0
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=_north-8755-1400068321-0001-2"
Subject: DMARC-4-ML: Can the IETF call a demonstration?
X-Enigmail-Version: 1.6
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 May 2014 11:52:14 -0000

After some discussion on ietf-822, two viable methods were identified
for DMARC for mailing lists (ML).  Someone cutely suggested to do both:

*Tweak DKIM signatures*
To be applied on sending, produce a partial author's domain signature
which can be verified along with the ML signature.  To be refined a
bit, in order to account for chaining from a ML to another.

To be applied on receiving, for MLs endorsed by each domain's users.

Both methods require each domain to build a DB of MLs.  That can be
done by a "manual process" (see picture) for the time being.  The
process consists of each ML admin extracting a per-domain list of
subscribers and sending it to the relevant domain postmaster, after
obtaining subscribers' consent.  The volume of data is so huge as to
be akin to an on-line demonstration.

Will the admins go marching in?

Doing nothing will result in a mix of three reactions.  1, ML admins
changing the From: of domains who publish strict DMARC policies;  2,
some users changing mailbox provider; and 3, less domains publishing
strict DMARC policies.  The combined effect seems to weaken both DMARC
and mailing lists.