Re: DMARC and yahoo

Hector Santos <> Sun, 20 April 2014 22:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7FF221A0063 for <>; Sun, 20 Apr 2014 15:21:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.402
X-Spam-Status: No, score=-101.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_16=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id fPt5FJmS44kS for <>; Sun, 20 Apr 2014 15:21:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 98EFD1A0059 for <>; Sun, 20 Apr 2014 15:21:04 -0700 (PDT)
DKIM-Signature: v=1;; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1886; t=1398032449; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=tE7xwKOlbF4aZTqQKR45I6+uyCM=; b=vR8iWQmuklOTfB6dXJJ4 Y0kjbn2XnOHYjje0MQTiiFcSLOMvfewvizyddZf5n2DU2stDUpjKQojUQg5Y6ZEo b4LwwnzGsxpOm6qx0eCb5OOEefj/xhGQdHZsAyNFdCSuPJ7OJ4rAbnC7qyGP4kg3 4s7yPR3sAFKEICDge/5NLHY=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Sun, 20 Apr 2014 18:20:49 -0400
Authentication-Results:; dkim=pass header.s=tms1; adsp=pass policy=all;
Received: from ( []) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 1141020734.9381.1356; Sun, 20 Apr 2014 18:20:48 -0400
DKIM-Signature: v=1;; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1886; t=1398032374; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=AP0egvF Aem1KqW/XJINrvvvH3cYkVyeaOfX45eqVbBM=; b=p52GA7v6dRgNrWUuJ9xBAVQ akorx9Y/EcbH00GeS6uryP+PV96TOm+UcgmrBsoY3KvBxQjj8ovXBGkfjzTpTxFJ lRu7KZI/1dk28Wa9OzKZ/kFY+CF+TQ/EEFLwF0XkeSoeFbKgViKwp6oTPDQbuEOq NunJvv8/5EyQDJD3rcnQ=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Sun, 20 Apr 2014 18:19:34 -0400
Received: from [] ([]) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 1160550718.9.11368; Sun, 20 Apr 2014 18:19:33 -0400
Message-ID: <>
Date: Sun, 20 Apr 2014 18:20:46 -0400
From: Hector Santos <>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Doug Barton <>,
Subject: Re: DMARC and yahoo
References: <> <> <> <> <> <> <> <> <> <4948F093F369F051CAF0B810@[]> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 20 Apr 2014 22:21:08 -0000

On 4/20/2014 5:23 PM, Doug Barton wrote:

> The issue with and DMARC is not the users'
> ability to receive mail, it's their ability to send mail to the list
> with From: * and have it be received by list subscribers who
> implement strict DMARC policies which honor Yahoo!'s p=reject.

Or basically, anyone with a p=reject policy will be rejected by
DMARC compliant receivers if its not signed by the author domain.  We 
have been calling this 3rd party signatures. See RFC5016 (Requirements 
for a DKIM Signing Practices Protocol) for the definition:

    o  First Party Address: for DKIM, a first party address is defined to
       be the [RFC2822].From address in the message header; a first party
       address is also known as an Author address.

    o  First Party Signature: a first party signature is a valid
       signature where the signing identity (the d= tag or the more
       specific identity i= tag) matches the first party address.
       "Matches" in this context is defined in [RFC4871].

    o  Third Party Signature: a third party signature is a valid
       signature that does not qualify as a first party signature.  Note
       that a DKIM third party signature is not required to correspond to
       a header field address such as the contents of Sender or List-Id,

DMARC has no such separation support. Thats the problem. You know, for 
the IETF purist, this is an violation of RFC5016 if it uses the term 
DKIM in its documentation as a conforming solution.  Either that, or 
it fell thru the crack.  Lets hope its the latter and we can fix this 

> It's not clear how setting the users to digest mode helps
> this situation at all.

For our MLS digest mode, the signed digest message is 5322.From the 
list domain.  Can't tell you off hand how other MLS will do this.