[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Validation DMARC
From:       Richard Damon <Richard () Damon-Family ! org>
Date:       2019-11-23 14:26:30
Message-ID: 6f810f3d-311d-e908-cca0-8aaa90b2c091 () Damon-Family ! org
[Download RAW message or body]

On 11/23/19 4:26 AM, Dominic Raferd wrote:
>
>
> On Sat, 23 Nov 2019 at 09:14, Roland Köbler
> <rk-list@simple-is-better.org <mailto:rk-list@simple-is-better.org>>
> wrote:
>
>     Hi,
>
>     > when validating DMARC, it use the envelop address, or use from
>     address from the header?
>     it unfortunately uses the from-header.
>     (If it would use the envelope address, it would not cause that much
>     problems.)
>
>     Or in short: DMARC intentionally breaks every mailinglist and
>     every mail-forwarding.
>     So, if a mail-provider uses a strict DMARC-policy, it effectively
>     says: "Our mail-addresses may not be used for mailinglists."
>
>
> DMARC's focus on the From header is absolutely correct because it is
> about stopping forging. And it is simply untrue that DMARC breaks all
> mailing lists nor that it breaks all mail forwarding.
>
> I realise a lot of people on mailing lists about email have a downer
> on DMARC because depending on (a) the implementation of DKIM by the
> sender's domain controller and (b) on the setup of the mailing list it
> can - but often doesn't - cause problems. But it is a very powerful
> tool for preventing forging of emails. Domain controllers who are not
> bothered about forging of emails from their domain are not obliged to
> use it.

Many Mailinglist will break under DMARC as in many jurisdictions they
appear to fall under regulations that are designed for commercial
mailings, which include a requirement that all messages have a clearly
spelled out method to unsubscribe from that list. The standard solution
is to add a footer to the message with that information, which thus
break the DKIM signature, since under DMARC both SPF and DKIM are based
on the From: header of the message, the list is unable to distribute
messages from domains with strict DMARC as their From, even though that
is what a plain reading of the EMail RFC would require (The mailing list
has NOT become the author by a mechanical editing of the message).

The DMARC group admits that this is a problem, but their main solution
is to just tell all mailing list that they need to change the From of
messages to be the list so their method can be used. This causes lots of
problems, the real answer is that DMARC is not suitable for general mail
providers. It is really intended to be used by Institutions that do
transactional email, and those users don't need to use mailing lists.

Note, the problem is that DMARC for general email has an incredably high
false positive rate, what would you think if your mail provider adopted
a spam filter that declared 20% of your legitimate email as spam and
just discarded it. This is not a bad equivalent to the providers using a
method that declares mailinglist using the traditional methods that have
been used for decades as 'forgers'.

-- 
Richard Damon

[prev in list] [next in list] [prev in thread] [next in thread]