Quoting Bernard Rosset via Dng (dng@lists.dyne.org): > On a more gneric topic, what I read about DMARC over here seems to > be a bit unfair.
If you mean specifically my own postings on the subject, that's quite arguably true, especially the stuff I wrote a bit over a year ago, when I was well and truly furious about the destructive effect of strong DMARC policies on the (many) mailing lists I administer, and trying to help fellow listadmins understand and cope with the problem. I'd be willing to consider offers to hire me to write utterly dispassionate and exhaustive documentation, as well, at consulting rates, two-hour minimum. But that would be a different need from the one I had been (and recently, somewhat exhaustedly, continued) attempting to satisfy. > DMARC is only there to *enforce* SPF and/or DKIM ("DomainKeys > Identified Mail" hence not really "former" DomainKeys, just mere > relabeling). I'm a little unclear on what you're saying, here, and what your point is. If you're saying DKIM is just a newer name for DomainKeys, but was unchanged from DomainKeys, you are incorrect: Yahoo had produced a draft called 'enhanced DomainKeys', and that was merged with a separate Cisco effort called 'Identified Internet Mail' to produce DKIM in 2004. Yes, DMARC is a defined superset of SPF and/or DKIM. DKIM, IIRC, had the same destructive effects on mailing lists for the same reasons. Saying DMARC is 'only there to enforce' it is rather missing the point, IMO. > The real protection mechanisms being considered/violated here are > SPF and/or DKIM. DMARC's policy only triggers if *both* SPF & DKIM > fail. Your wording, here, is a bit ambiguous. If you are intending to suggest that DMARC requires that a domain implement both SPF and DKIM, that is not correct. OTOH, if you mean that DMARC fails only if neither SPF or DKIM validates, then that is correct. > Now, if the sender's domain supports DKIM, and provided the headers > potentially important to the mailing list's piping are not provided > & signed (Sender, List-*, Reply-To, etc.), ie if mere From, Subject > are signed (which I believe is a common case), it is alright. > > Well. It is alright... provided mailing lists stop doing what they > have been doing for ages, ie *modifying* protected content, either > protected headers or body. In other words, with the typical DKIM-attested set of headers and content, mailing lists break short of major changes such as wrapping the message, From: rewriting, or ceasing all message modifications, meaning not just no more footers and subject prefixes, but also (IIRC) problems with List-ID and similar headers. More than a year ago, I could have written a comprehensive explanation of all the gory details, but will confess I've dropped a lot of it from memory since then. > Hence, the real problem comes from violating DKIM... or having no > DKIM set up. Again, your wording is ambiguous. If you're suggesting that having no DKIM set up at a sending domain is somehow problematic for that domain, then that is incorrect. E.g., my linuxmafia.com domain does not have DKIM setup (because I think that technology design was poorly written), and I have no deliverability problems at all -- particularly because my domain has a correct, strongly asserted SPF policy, and because I follow reputable SMTP practices carefully and protect the reputation of my sending IP address. I'm not entirely sure what you mean, if you meant something else. > DMARC + DKIM should do the trick, provided mailing lists (softwares) > stop being intrusive. 'Stop being intrusive'? The nerve! Also, the term 'DMARC + DKIM' doesn't actually make a lot of sense. DMARC is a superset built atop either DKIM or SPF (or both). > In the current state of my understanding of DMARC, SPF & DKIM, I > have a hard time understanding flaming any of those protection > mechanisms. Well, I have no problem taking care of that need, in your absence. No charge, sir. > The only trouble I see here is that mailing lists have a long > history of modifying email headers and/or content, and it has been > deemed "normal" over years of doing so. That's like saying the only trouble you see is that humans have a long history of eating. > Would you mind if I arbitrarily opened/modified your (private) > postal mail or any written message from/to you? This is an abuse of metaphor, and I'm having a difficult time believing you aren't trolling. Mailing lists are sophisticated remailer mechanisms. In postal mail context, the proper metaphor would be an optional commercial service you can send a letter to, where the letter would be photocopied and then remailed to all of your friends. This isn't 'arbitrary'; the original sender engages the services of the remailing mechanism. Nor is it 'private'. When you signed up for Dng, you were aware that you were voluntarily engaging the services of a software remailing service that would generate slightly modified/augmented copies of your post and sending those out to each of a list of subscribers, right? If you considered that either 'arbitary' or 'private', then I suggest that you have badly misunderstood the notion of a mailing list, and need to consider ceasing to use them. > My understanding might be incomplete. If so, please enlighten me & > anyone interested, by all means. Once. If I have to do this a second time, we'll need to start talking about my consulting rates. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng