On Wed 21/Jul/2021 20:05:41 +0200 Matthäus Wander wrote:
Alessandro Vesely wrote on 2021-07-21 19:41:
Some lists operate the evasion hack, a.k.a. From: munging, only if the sender
has p=quarantine or p=reject, some do it unconditionally, some only if the
mail is outbound, some only if the receiver is mail.ru. Behavior doesn't seem
to be settled yet.
We should add a section on From: munging in the spec.
It's explained as mitigation in RFC7960:
<https://datatracker.ietf.org/doc/html/rfc7960#section-4.1.3.1>
What's seems to be missing is a recommendation to not change DMARC validation
behavior subject to p= or other conditions. A conditional validation makes
p=none less useful for monitoring of potential delivery problems.
I agree that it's easier to deal with From: munging when it's done uniformly on
all messages. However, I'm not sure whether to actually RECOMMEND to do so.
How about something more or less like the following?
*Mailing Lists*
Mailing lists are characterized by changing the bounce address
(RFC5321.MailFrom) on forwarding, see SMTP ([RFC5321]). Described in
Internet Mail Architecture ([RFC5598]) as a kind of Mediators, several
mailing lists do additional changes that break most original DKIM
signatures. Before DMARC, this wasn't a problem. As DMARC becomes more
widely supported and generic mailbox providers public strict DMARC
policies, mitigation as described in Interoperability Issues between DMARC
and Indirect Email Flows ([RFC7960]) becomes necessary.
We RECOMMEND that mailing list managers (MLMs) change the From: address
(RFC5322.From) in order to become the owner of the main DMARC identifier.
For example, if the incoming message has:
From: Original Author <u...@example.com>
then the forwarded message SHOULD change it, for example like so:
From: Original Author via list-tag <whate...@list.example.org>
See [RFC7960] for a full explanation of whys and hows.
For uniform behavior, MLMs are better off applying the same mitigation
technique irrespective of the current content of any DMARC records.
However, some MLMs are known to decide whether to apply that change or
not based on the existence of an author's domain DMARC record and the
value of the "p" tag therein. In any case, MLMs MUST NOT consider the
value of the "pct" tag in order to make such decision.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc