Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
On October 9, 2018 10:37:49 PM UTC, John Levine via dmarc-discuss wrote: >In article <24dd5bc1-ca89-473c-9d11-cb712504c...@akamai.com> you write: >>p=none -> “we’re trying to figure out if we’re going to be able to go >to p=quarantine” >> >>If you treat quarantine differently than none, you’re sending me >misleading data in the reports you send (if of course >>you send reports) - or your downstream recipients send. > >Sorry, but that is just wrong. I publish p=none because that is my >policy. That's what the spec says, that's what it means. > >R's, >John Same here. I publish p=none to get the feedback. I don't have any idea which decade it will be when mailing lists are either updated or obsoleted sufficiently so that it might be reasonable for me to even consider anything else. Scott K ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
On Tue, 9 Oct 2018, Al Iverson wrote: If you treat quarantine differently than none, you’re sending me misleading data in the reports you send (if of course Sorry, but that is just wrong. I publish p=none because that is my policy. It's not wrong from my perspective. It's exactly what I see in practice from ISPs and companies. I'm not opposed to having some way to say pretend that I'm publishing a more restrictive policy, but I'd be rather annoyed if p=none were hijacked so there's no way to say my mail comes from different places and that's OK. I don't care what the details are. Maybe we can publish an update that formalizes the pct=0 hack, or add p=pseudoquarantine. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
On Tue, Oct 9, 2018 at 7:00 PM John Levine via dmarc-discuss wrote: > > In article <24dd5bc1-ca89-473c-9d11-cb712504c...@akamai.com> you write: > >p=none -> “we’re trying to figure out if we’re going to be able to go to > >p=quarantine” > > > >If you treat quarantine differently than none, you’re sending me misleading > >data in the reports you send (if of course > >you send reports) - or your downstream recipients send. > > Sorry, but that is just wrong. I publish p=none because that is my > policy. It's not wrong from my perspective. It's exactly what I see in practice from ISPs and companies. What John Payne is sharing is literally what's been running through my head over the past couple of months. > That's what the spec says, that's what it means. I think it's reasonable to discuss how most people are actually doing with DMARC. Al -- al iverson // 312-725-0130 // miami http://www.aliverson.com http://www.spamresource.com ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
Jonathan, > It can also be fairly argued that the maintainers of servers that host > mailing lists should get off their asses and fix their software to > rewrite headers for domains that have DMARC policies, ... Your implications of laziness are misplaced. We were talking about lists which already rewrite the From header for reject and quarantine, but not none. Arguably they've done /more/ work than you want them to. That said I stand by my contention that mailbox providers should not be using reject or quarantine, period. Rewriting the From header is a degradation to the user experience for those mailbox users, but even more so to the users whose mailboxes are reached. > Honestly, I'm having trouble understanding how ARC is going to solve > the problem satisfactorily. I don't know that it will either - it will require a lot of cooperation (implementation) from a lot of services, both list and mailbox, to overcome what I and others have argued is some mailbox providers' misuse of DMARC. But that's an old argument, look back a few years in this list if you're interested. Shal ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
In article <29bfd7c6-00bd-0950-fee8-780746f32...@quantopian.com> you write: >It can also be fairly argued that the maintainers of servers that host >mailing lists should get off their asses and fix their software to >rewrite headers for domains that have DMARC policies, and that they have >no incentive to do this as long as the mailbox providers aren't using >p=quarantine or p=reject. No, they should add ARC seals so recipients can filter them reasonable. Both Mailman and Sympa have ARC now, so for a lot of us it's just a config switch. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
In article <24dd5bc1-ca89-473c-9d11-cb712504c...@akamai.com> you write: >p=none -> “we’re trying to figure out if we’re going to be able to go to >p=quarantine” > >If you treat quarantine differently than none, you’re sending me misleading >data in the reports you send (if of course >you send reports) - or your downstream recipients send. Sorry, but that is just wrong. I publish p=none because that is my policy. That's what the spec says, that's what it means. R's, John ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
On 10/9/18 2:14 PM, Shal F via dmarc-discuss wrote: > I find this bewildering and frustrating both for domains attempting to > roll out DMARC ... If you have users who participate in mailing lists, that is, if you're a mailbox provider, I think it can be fairly argued that you should not even consider using quarantine or reject policy. The bad example of some major mailbox providers notwithstanding. It can also be fairly argued that the maintainers of servers that host mailing lists should get off their asses and fix their software to rewrite headers for domains that have DMARC policies, and that they have no incentive to do this as long as the mailbox providers aren't using p=quarantine or p=reject. I mean, how many years have we had DMARC now? I really can't see any excuse for anybody running a mailing list server not to have solved this problem by now. It's been long enough already. Or, at least you should defer that decision until it is seen whether ARC solves the mailing list problem for your users. Honestly, I'm having trouble understanding how ARC is going to solve the problem satisfactorily. As I understand it, every site that actually checks DMARC headers on inbound emails is going to have to maintain a list of all the ARC signers they trust. That seems like an intractable problem and a nightmare to administer. How will administrators know which ARC signers are trustworthy? If I run a small Mailman server for my friends and I, even if I run OpenARC on it and generate ARC seals, nobody's going to bother adding my domain to their trusted ARC signer list, so basically I can't participate in ARC. I've been on the internet a long time and I can't say I at all like the idea of a standard which will only actually be usable by big service providers. jik ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
> On Oct 9, 2018, at 3:17 PM, Mark Fletcher via dmarc-discuss > wrote: > > On Tue, Oct 9, 2018 at 8:06 AM Jonathan Kamens via dmarc-discuss > wrote: > I see people behaving badly here in both directions. In my opinion, servers > that do message forwarding should rewrite headers for DMARC compliance > whenever there is a DMARC policy, not just when the policy is p=quarantine or > p=reject. And on the other end, given that the servers that do forwarding > aren't behaving that way, nobody should be using p=none in their policy; they > should instead use p=quarantine; pct=0 to force their headers to be rewritten > during forwarding. > > We only re-write From lines for quarantine or reject, not none. We want to > re-write as few From lines as possible; the user experience is degraded when > we have to re-write From lines. p=none -> “we’re trying to figure out if we’re going to be able to go to p=quarantine” If you treat quarantine differently than none, you’re sending me misleading data in the reports you send (if of course you send reports) - or your downstream recipients send. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
On Tue, Oct 9, 2018 at 8:06 AM Jonathan Kamens via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > I see people behaving badly here in both directions. In my opinion, > servers that do message forwarding should rewrite headers for DMARC > compliance whenever there is a DMARC policy, not just when the policy is > *p=quarantine* or *p=reject*. And on the other end, given that the > servers that do forwarding *aren't* behaving that way, nobody should be > using *p=none* in their policy; they should instead use *p=quarantine; > pct=0* to force their headers to be rewritten during forwarding. > We only re-write From lines for quarantine or reject, not none. We want to re-write as few From lines as possible; the user experience is degraded when we have to re-write From lines. Mark ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
I agree that special casing "p=" (versus not special casing "p=none") is something people should do, and in my personal little mailing list manager, I've updated it to do that, and in my day job's email forwarding functionality, we're adding it there as well. I think that a lot of us assumed otherwise at first though, and it's kind of new territory. It's something I really only came to realize myself a few months ago. Be patient, tell people about it when you see it, and keep nudging. It takes a while for people to figure things out. Maybe I can squeeze a blog post out of this -- and it might be good for others to do the same. I do personally suggest against using pct=0 anywhere in any of this equation, though. Like mentioned, somebody's going to miss the percentage part being zero and end up acting as it if were set to 100. Cheers, Al Iverson On Tue, Oct 9, 2018 at 1:28 PM Payne, John via dmarc-discuss wrote: > > > > > On Oct 9, 2018, at 10:59 AM, Jonathan Kamens via dmarc-discuss > > wrote: > > > > As I'm sure the folks on this list are aware, apparently some ESPs and > > software maintainers have chosen to behave differently when forwarding > > emails (most notably to mailing lists) depending on whether the sender's > > domain DMARC policy is nonexistent or p=none, vs. p=quarantine or p=reject. > > > > In particular, the ones that I know about are Google Groups and GNU > > Mailman, both of which have decided to rewrite From: lines when they see > > p=quarantine or p=reject but leave them intact when they see no DMARC > > policy or a policy with p=none. > > > > I find this bewildering and frustrating both for domains attempting to roll > > out DMARC and for the administrators of mail servers attempting to enforce > > it on incoming emails. > > > > From the outbound email point of view, what good does it do to get > > aggregate reports telling you messages forwarded through mailing lists > > weren't DMARC compliant when you can't do anything about it and when > > messages sent through those same mailing lists will magically become > > compliant when you switch from p=none to p=quarantine? This is especially > > true since you can't actually know that those messages are going to > > magically become compliant, because you can't know which mailing list > > platforms play this game. > > > > From the inbound email point of view, having just deployed the current beta > > release of OpenDMARC on my personal (not Quantopian's) mail server > > (Incidentally, an aside: is anybody actually maintaining OpenDMARC? There > > are multiple significant bugs in it that have been reported with patches on > > Github and the maintainers there have been radio silent for months), I am > > carefully monitoring the logs, both to confirm that it is behaving properly > > and so that I can detect and report any problems to the OpenDMARC > > maintainers (I've already submitted several bug reports and patches). > > Several times a week I get a "domain fail" log message from OpenDMARC and I > > have to investigate it, only to discover that the only reason for the > > failure is because someone on my server received a message through a > > mailing list and the sender domain's DMARC policy is p=none. > > > > I see people behaving badly here in both directions. In my opinion, servers > > that do message forwarding should rewrite headers for DMARC compliance > > whenever there is a DMARC policy, not just when the policy is p=quarantine > > or p=reject. And on the other end, given that the servers that do > > forwarding aren't behaving that way, nobody should be using p=none in their > > policy; they should instead use p=quarantine; pct=0 to force their headers > > to be rewritten during forwarding. > > > > Am I missing something here? > > Thats exactly the situation I’m in.I believe that p= should > trigger “special handling” if there is any to be triggered. p=none is > semantically different from the record not existing, but it’s being treated > the same. > > Of course, p=quarantine; pct=0 does run the risk of receivers not obeying the > pct… which I think there’s at least 1 out there…. > > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) -- al iverson // 312-725-0130 // miami http://www.aliverson.com http://www.spamresource.com ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
Jonathan, > In particular, the ones that I know about are Google Groups and GNU > Mailman, both of which have decided to rewrite From: lines when they > see *p=quarantine* or *p=reject* but leave them intact when they see > no DMARC policy or a policy with *p=none*. You can add Groups.io to that list. > I find this bewildering and frustrating both for domains attempting to > roll out DMARC ... If you have users who participate in mailing lists, that is, if you're a mailbox provider, I think it can be fairly argued that you should not even consider using quarantine or reject policy. The bad example of some major mailbox providers notwithstanding. Or, at least you should defer that decision until it is seen whether ARC solves the mailing list problem for your users. Just my opinion as an email user who participates in mailing lists. Shal ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
> On Oct 9, 2018, at 10:59 AM, Jonathan Kamens via dmarc-discuss > wrote: > > As I'm sure the folks on this list are aware, apparently some ESPs and > software maintainers have chosen to behave differently when forwarding emails > (most notably to mailing lists) depending on whether the sender's domain > DMARC policy is nonexistent or p=none, vs. p=quarantine or p=reject. > > In particular, the ones that I know about are Google Groups and GNU Mailman, > both of which have decided to rewrite From: lines when they see p=quarantine > or p=reject but leave them intact when they see no DMARC policy or a policy > with p=none. > > I find this bewildering and frustrating both for domains attempting to roll > out DMARC and for the administrators of mail servers attempting to enforce it > on incoming emails. > > From the outbound email point of view, what good does it do to get aggregate > reports telling you messages forwarded through mailing lists weren't DMARC > compliant when you can't do anything about it and when messages sent through > those same mailing lists will magically become compliant when you switch from > p=none to p=quarantine? This is especially true since you can't actually know > that those messages are going to magically become compliant, because you > can't know which mailing list platforms play this game. > > From the inbound email point of view, having just deployed the current beta > release of OpenDMARC on my personal (not Quantopian's) mail server > (Incidentally, an aside: is anybody actually maintaining OpenDMARC? There are > multiple significant bugs in it that have been reported with patches on > Github and the maintainers there have been radio silent for months), I am > carefully monitoring the logs, both to confirm that it is behaving properly > and so that I can detect and report any problems to the OpenDMARC maintainers > (I've already submitted several bug reports and patches). Several times a > week I get a "domain fail" log message from OpenDMARC and I have to > investigate it, only to discover that the only reason for the failure is > because someone on my server received a message through a mailing list and > the sender domain's DMARC policy is p=none. > > I see people behaving badly here in both directions. In my opinion, servers > that do message forwarding should rewrite headers for DMARC compliance > whenever there is a DMARC policy, not just when the policy is p=quarantine or > p=reject. And on the other end, given that the servers that do forwarding > aren't behaving that way, nobody should be using p=none in their policy; they > should instead use p=quarantine; pct=0 to force their headers to be rewritten > during forwarding. > > Am I missing something here? Thats exactly the situation I’m in.I believe that p= should trigger “special handling” if there is any to be triggered. p=none is semantically different from the record not existing, but it’s being treated the same. Of course, p=quarantine; pct=0 does run the risk of receivers not obeying the pct… which I think there’s at least 1 out there…. ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Aggregate report 'loop'
This problem is also avoided by using a third-party processor for your aggregate and forensic reports, so they aren't coming into your domain, right? On 10/9/18 7:42 AM, Juri Haberland via dmarc-discuss wrote: On 09/10/18 12:00, Paul Smith via dmarc-discuss wrote: [...] Several days ago, we received a marketing email from 'johnlewis.co.uk'. Our server dutifully sent a DMARC aggregate report back to them as their 'rua' record says. Then, the next day, we get an aggregate report back from them - with one message in - our aggregate report So, our server sends back an aggregate report back to them - with one message in - their aggregate report {...] The recommended way to prevent such "loops" is to send your reports from a subdomain with a DMARC record that has no 'rua' tag. That way you won't trigger new reports for your report. Cheers, Juri ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
As I'm sure the folks on this list are aware, apparently some ESPs and software maintainers have chosen to behave differently when forwarding emails (most notably to mailing lists) depending on whether the sender's domain DMARC policy is nonexistent or *p=none*, vs. *p=quarantine* or *p=reject*. In particular, the ones that I know about are Google Groups and GNU Mailman, both of which have decided to rewrite From: lines when they see *p=quarantine* or *p=reject* but leave them intact when they see no DMARC policy or a policy with *p=none*. I find this bewildering and frustrating both for domains attempting to roll out DMARC and for the administrators of mail servers attempting to enforce it on incoming emails. From the outbound email point of view, what good does it do to get aggregate reports telling you messages forwarded through mailing lists weren't DMARC compliant when you can't do anything about it and when messages sent through those same mailing lists will magically become compliant when you switch from *p=none* to *p=quarantine*? This is especially true since you can't actually /know/ that those messages are going to magically become compliant, because you can't know which mailing list platforms play this game. From the inbound email point of view, having just deployed the current beta release of OpenDMARC on my personal (not Quantopian's) mail server (Incidentally, an aside: is anybody actually /maintaining/ OpenDMARC? There are multiple significant bugs in it that have been reported with patches on Github and the maintainers there have been radio silent for months), I am carefully monitoring the logs, both to confirm that it is behaving properly and so that I can detect and report any problems to the OpenDMARC maintainers (I've already submitted several bug reports and patches). Several times a week I get a "/domain/ fail" log message from OpenDMARC and I have to investigate it, only to discover that the only reason for the failure is because someone on my server received a message through a mailing list and the sender domain's DMARC policy is *p=none*. I see people behaving badly here in both directions. In my opinion, servers that do message forwarding should rewrite headers for DMARC compliance whenever there is a DMARC policy, not just when the policy is *p=quarantine* or *p=reject*. And on the other end, given that the servers that do forwarding /aren't/ behaving that way, nobody should be using *p=none* in their policy; they should instead use *p=quarantine; pct=0* to force their headers to be rewritten during forwarding. Am I missing something here? Jonathan Kamens ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Aggregate report 'loop'
On 09/10/18 12:00, Paul Smith via dmarc-discuss wrote: [...] > Several days ago, we received a marketing email from 'johnlewis.co.uk'. > Our server dutifully sent a DMARC aggregate report back to them as their > 'rua' record says. > > Then, the next day, we get an aggregate report back from them - with one > message in - our aggregate report > > So, our server sends back an aggregate report back to them - with one > message in - their aggregate report {...] The recommended way to prevent such "loops" is to send your reports from a subdomain with a DMARC record that has no 'rua' tag. That way you won't trigger new reports for your report. Cheers, Juri ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] Aggregate report 'loop'
We've just implemented DMARC checking on the mail server software we publish and have noticed something that I'm not sure is meant to happen... Several days ago, we received a marketing email from 'johnlewis.co.uk'. Our server dutifully sent a DMARC aggregate report back to them as their 'rua' record says. Then, the next day, we get an aggregate report back from them - with one message in - our aggregate report So, our server sends back an aggregate report back to them - with one message in - their aggregate report - and so on - and so on I'm fairly sure this isn't supposed to happen, but it seems to be happening for several domains - linkedin is another one I've noticed it for. I probably wouldn't have noticed it if we hadn't just been working on the DMARC routines. So, should we be removing incoming aggregate reports from our own aggregate reports? Should everyone be doing that (because it seems to not just be we who aren't). Is this documented in the RFC? I couldn't see it. Is there any reliable way to detect that something is a DMARC aggregate report, or do we just 'guess' (based on subject, attachments etc)? -- Paul Smith Computer Services Tel: 01484 855800 Vat No: GB 685 6987 53 Sign up for news & updates at http://www.pscs.co.uk/go/subscribe ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)