Re: Validation DMARC
On Sun, 24 Nov 2019 at 23:34, Richard Damon wrote: > On 11/24/19 6:21 PM, Wesley Peng wrote: > > Why it doesn’t break From: header SPF? Just curious > > > > On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote: > >> > Or in short: DMARC intentionally breaks every mailinglist and every > >> > mail-forwarding. So, if a mail-provider uses a strict DMARC-policy, > >> > it effectively says: "Our mail-addresses may not be used for > >> > mailinglists." > >> > >> this message (i am replying to) from you on this mailing list is not > >> broken > >> > It DOES break DMARC/SPF, as the IP address the message comes from > doesn't match the From of the message, but with DMARC if EITHER SPF or > DKIM pass, the message is to be considered to pass. > > A Domain with strict DMARC, and which doesn't DKIM sign messages, will > fail with any form of remailer, so would fail for this application. > Anyone using DMARC with p=reject and without using DKIM signing is asking for trouble - this should never be done intentionally. I have seen it happen by mistake (usually by public bodies e.g. police, HMRC...). Assuming the message is DKIM-signed (and the signing is only on the critical headers, as it normally is) then DMARC won't cause problems on this mailing list. For other mailing lists YMMV. We have used DMARC with p=reject on domains for personal and business use for several years and have never had any rejections or 'false positives' as a result. I don't use such domains for posting to mailing lists, and no one else using our domains has ever tried to.
Re: Validation DMARC
That's great explation. Thanks Richard. On Mon, Nov 25, 2019, at 7:33 AM, Richard Damon wrote: > On 11/24/19 6:21 PM, Wesley Peng wrote: > > Why it doesn’t break From: header SPF? Just curious > > > > On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote: > >> > Or in short: DMARC intentionally breaks every mailinglist and every > >> > mail-forwarding. So, if a mail-provider uses a strict DMARC-policy, > >> > it effectively says: "Our mail-addresses may not be used for > >> > mailinglists." > >> > >> this message (i am replying to) from you on this mailing list is not > >> broken > >> > It DOES break DMARC/SPF, as the IP address the message comes from > doesn't match the From of the message, but with DMARC if EITHER SPF or > DKIM pass, the message is to be considered to pass. > > A Domain with strict DMARC, and which doesn't DKIM sign messages, will > fail with any form of remailer, so would fail for this application. > > -- > Richard Damon > >
Re: Validation DMARC
On 11/24/19 6:21 PM, Wesley Peng wrote: > Why it doesn’t break From: header SPF? Just curious > > On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote: >> > Or in short: DMARC intentionally breaks every mailinglist and every >> > mail-forwarding. So, if a mail-provider uses a strict DMARC-policy, >> > it effectively says: "Our mail-addresses may not be used for >> > mailinglists." >> >> this message (i am replying to) from you on this mailing list is not >> broken >> It DOES break DMARC/SPF, as the IP address the message comes from doesn't match the From of the message, but with DMARC if EITHER SPF or DKIM pass, the message is to be considered to pass. A Domain with strict DMARC, and which doesn't DKIM sign messages, will fail with any form of remailer, so would fail for this application. -- Richard Damon
Re: Validation DMARC
* Wesley Peng: > Why it doesn’t break From: header SPF? Just curious See https://tools.ietf.org/html/rfc7208, in particular the "MAIL FROM Definition" section. -Ralph
Re: Validation DMARC
Why it doesn’t break From: header SPF? Just curious On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote: > > Or in short: DMARC intentionally breaks every mailinglist and every > > mail-forwarding. So, if a mail-provider uses a strict DMARC-policy, > > it effectively says: "Our mail-addresses may not be used for > > mailinglists." > > this message (i am replying to) from you on this mailing list is not > broken >
Re: Validation DMARC
On 11/24/19 3:12 PM, Chris Wedgwood wrote: >> Or in short: DMARC intentionally breaks every mailinglist and every >> mail-forwarding. So, if a mail-provider uses a strict DMARC-policy, >> it effectively says: "Our mail-addresses may not be used for >> mailinglists." > this message (i am replying to) from you on this mailing list is not > broken > This list is somewhat unusual in that it doesn't include a footer with list instructions, nor does it add a subject identifier to quickly identify that the message comes from this list. My guess is that two things are likely true: 1) This list is not run in a locality that requires obvious unsubscription instructions, or that it has been decided that the List-Unsubscribe header is good enough to meet that requirement 2) It is presumed that subscribers to this list are competent enough to not need to be reminded about operating instructions. (This list's subject matter is fairly technical, so not apt to draw less technically adept subscribers). -- Richard Damon
Re: Validation DMARC
> Or in short: DMARC intentionally breaks every mailinglist and every > mail-forwarding. So, if a mail-provider uses a strict DMARC-policy, > it effectively says: "Our mail-addresses may not be used for > mailinglists." this message (i am replying to) from you on this mailing list is not broken
Re: Validation DMARC
On 11/23/19 12:30 PM, Ralph Seichter wrote: > * Roland Köbler: > >> Or in short: DMARC intentionally breaks every mailinglist and every >> mail-forwarding. > I doubt that it is broken "intentionally". ;-) > > "[Ich habe] gefunden, daß Mißverständnisse und Trägheit vielleicht > mehr Irrungen in der Welt machen als List und Bosheit. Wenigstens sind > die beiden letzteren gewiß seltener." (J.W.v.Goethe, Die Leiden des > jungen Werther, 1771) > > -Ralph > They likely didn't go in with the thought that they needed something that broke mailing lists, (and full DMARC doesn't break simple forwarding, as thd DKIM signature should survive still matching), but in the development of it, they did realize that DMARC would break emails from many standardly run mailing lists. Initially this was ok, as the initial types of messages that they were trying to protect wouldn't go though such systems. There were attempts to figure out how to improve the system so that it would work more generally and be usable for the wider usage, but that didn't pan out. It was only the adoption of the system by Yahoo and AOL (without informing their users of the consequences), and then them telling mailing list operators that the mailing lists had to deal with the damage, as they needed to adopt this for 'reasons'. -- Richard Damon
Re: Validation DMARC
On 11/23/19 4:13 AM, Roland Köbler wrote: > Hi, > >> when validating DMARC, it use the envelop address, or use from address from >> the header? > it unfortunately uses the from-header. > (If it would use the envelope address, it would not cause that much > problems.) > > Or in short: DMARC intentionally breaks every mailinglist and every > mail-forwarding. > So, if a mail-provider uses a strict DMARC-policy, it effectively > says: "Our mail-addresses may not be used for mailinglists." > > The cleanest solution for mailinglists would be to reject mails from > such adresses. (Spoofing the From-header by removing the authors address > and replacing it by the lists address, and so hiding the original author, > could of course also be done, but is not really a good solution.) > > Roland > When Yahoo first implemented this many years ago, and caused massive disruption to the mailing list community, that WAS one of the proposed solutions, put yahoo.com on the 'can not post' list, but it realized that it wouldn't really hurt yahoo, only some of its subscribers. It might cause some members to leave Yahoo, but unlikely enough to really matter to them, and might drive more traffic to Yahoo Groups (which at the time was making them money, and got around the problem because it was part of Yahoo). -- Richard Damon
Re: Validation DMARC
On 11/23/19 4:26 AM, Dominic Raferd wrote: > > > On Sat, 23 Nov 2019 at 09:14, Roland Köbler > mailto:rk-l...@simple-is-better.org>> > wrote: > > Hi, > > > when validating DMARC, it use the envelop address, or use from > address from the header? > it unfortunately uses the from-header. > (If it would use the envelope address, it would not cause that much > problems.) > > Or in short: DMARC intentionally breaks every mailinglist and > every mail-forwarding. > So, if a mail-provider uses a strict DMARC-policy, it effectively > says: "Our mail-addresses may not be used for mailinglists." > > > DMARC's focus on the From header is absolutely correct because it is > about stopping forging. And it is simply untrue that DMARC breaks all > mailing lists nor that it breaks all mail forwarding. > > I realise a lot of people on mailing lists about email have a downer > on DMARC because depending on (a) the implementation of DKIM by the > sender's domain controller and (b) on the setup of the mailing list it > can - but often doesn't - cause problems. But it is a very powerful > tool for preventing forging of emails. Domain controllers who are not > bothered about forging of emails from their domain are not obliged to > use it. Many Mailinglist will break under DMARC as in many jurisdictions they appear to fall under regulations that are designed for commercial mailings, which include a requirement that all messages have a clearly spelled out method to unsubscribe from that list. The standard solution is to add a footer to the message with that information, which thus break the DKIM signature, since under DMARC both SPF and DKIM are based on the From: header of the message, the list is unable to distribute messages from domains with strict DMARC as their From, even though that is what a plain reading of the EMail RFC would require (The mailing list has NOT become the author by a mechanical editing of the message). The DMARC group admits that this is a problem, but their main solution is to just tell all mailing list that they need to change the From of messages to be the list so their method can be used. This causes lots of problems, the real answer is that DMARC is not suitable for general mail providers. It is really intended to be used by Institutions that do transactional email, and those users don't need to use mailing lists. Note, the problem is that DMARC for general email has an incredably high false positive rate, what would you think if your mail provider adopted a spam filter that declared 20% of your legitimate email as spam and just discarded it. This is not a bad equivalent to the providers using a method that declares mailinglist using the traditional methods that have been used for decades as 'forgers'. -- Richard Damon
Re: Validation DMARC
I’m not sure , you may refer this discussion, https://serverfault.com/questions/779730/why-dont-my-domains-messages-to-a-google-group-get-their-headers-rewritten-so On Sat, Nov 23, 2019, at 7:23 PM, Jaroslaw Rafa wrote: > Dnia 23.11.2019 o godz. 19:10:51 Wesley Peng pisze: > > > > if you have used a mail.ru email for google groups, when you posted > > message to group, it will replace From header with the list address. > > Does it re-sign the message then? Because replacing the From: header would > break DKIM, as this header is always signed... > -- > Regards, > Jaroslaw Rafa > r...@rafa.eu.org > -- > "In a million years, when kids go to school, they're gonna know: once there > was a Hushpuppy, and she lived with her daddy in the Bathtub." >
Re: Validation DMARC
Dnia 23.11.2019 o godz. 19:10:51 Wesley Peng pisze: > > if you have used a mail.ru email for google groups, when you posted > message to group, it will replace From header with the list address. Does it re-sign the message then? Because replacing the From: header would break DKIM, as this header is always signed... -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Validation DMARC
Hello if you have used a mail.ru email for google groups, when you posted message to group, it will replace From header with the list address. On Sat, Nov 23, 2019, at 6:43 PM, Jaroslaw Rafa wrote: > Dnia 23.11.2019 o godz. 17:19:53 Wesley Peng pisze: > > Google groups replace the from: with their group address. > > I have never seen it and I'm subscribed to many Google-based mailing lists. > They replace the envelope from address (like almost every mailing list > server does), but keep the original From: header. > > Replacing the From: header would be a very bad idea, as - at it was already > written - this header indicates the author of the message, and the author is > a particular sender writing to the list, and not the list itself. > > Would you really like to see in your mail client a whole thread of messages > from a mailing list, every each of them having "From:" address as the list's > address? What would you do if you need to quickly find a message written by > a particular person (for example, you) in this conversation? > -- > Regards, > Jaroslaw Rafa > r...@rafa.eu.org > -- > "In a million years, when kids go to school, they're gonna know: once there > was a Hushpuppy, and she lived with her daddy in the Bathtub." >
Re: Validation DMARC
Dnia 23.11.2019 o godz. 17:19:53 Wesley Peng pisze: > Google groups replace the from: with their group address. I have never seen it and I'm subscribed to many Google-based mailing lists. They replace the envelope from address (like almost every mailing list server does), but keep the original From: header. Replacing the From: header would be a very bad idea, as - at it was already written - this header indicates the author of the message, and the author is a particular sender writing to the list, and not the list itself. Would you really like to see in your mail client a whole thread of messages from a mailing list, every each of them having "From:" address as the list's address? What would you do if you need to quickly find a message written by a particular person (for example, you) in this conversation? -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub."
Re: Validation DMARC
On Sat, 23 Nov 2019 at 09:14, Roland Köbler wrote: > Hi, > > > when validating DMARC, it use the envelop address, or use from address > from the header? > it unfortunately uses the from-header. > (If it would use the envelope address, it would not cause that much > problems.) > > Or in short: DMARC intentionally breaks every mailinglist and every > mail-forwarding. > So, if a mail-provider uses a strict DMARC-policy, it effectively > says: "Our mail-addresses may not be used for mailinglists." > DMARC's focus on the From header is absolutely correct because it is about stopping forging. And it is simply untrue that DMARC breaks all mailing lists nor that it breaks all mail forwarding. I realise a lot of people on mailing lists about email have a downer on DMARC because depending on (a) the implementation of DKIM by the sender's domain controller and (b) on the setup of the mailing list it can - but often doesn't - cause problems. But it is a very powerful tool for preventing forging of emails. Domain controllers who are not bothered about forging of emails from their domain are not obliged to use it.
Re: Validation DMARC
Google groups replace the from: with their group address. What I know the big providers having strict DMARC setting are: mail.ru laposte.net I am glad the more large providers like gmail, outlook don’t have this stupid setting. Regards On Sat, Nov 23, 2019, at 5:13 PM, Roland Köbler wrote: > Hi, > > > when validating DMARC, it use the envelop address, or use from address from > > the header? > it unfortunately uses the from-header. > (If it would use the envelope address, it would not cause that much > problems.) > > Or in short: DMARC intentionally breaks every mailinglist and every > mail-forwarding. > So, if a mail-provider uses a strict DMARC-policy, it effectively > says: "Our mail-addresses may not be used for mailinglists." > > The cleanest solution for mailinglists would be to reject mails from > such adresses. (Spoofing the From-header by removing the authors address > and replacing it by the lists address, and so hiding the original author, > could of course also be done, but is not really a good solution.) > > Roland > >
Re: Validation DMARC
Hi, > when validating DMARC, it use the envelop address, or use from address from > the header? it unfortunately uses the from-header. (If it would use the envelope address, it would not cause that much problems.) Or in short: DMARC intentionally breaks every mailinglist and every mail-forwarding. So, if a mail-provider uses a strict DMARC-policy, it effectively says: "Our mail-addresses may not be used for mailinglists." The cleanest solution for mailinglists would be to reject mails from such adresses. (Spoofing the From-header by removing the authors address and replacing it by the lists address, and so hiding the original author, could of course also be done, but is not really a good solution.) Roland
Re: Validation DMARC
On 11/22/19 7:12 PM, Wesley Peng wrote: > Hi > > when validating DMARC, it use the envelop address, or use from address > from the header? Thanks > DMARC specifically says that validation is to be based on the From: Header of the message (which is different than how SPF and DKIM work by themselves). This is what gives DMARC issues with some uses of emails when messages pass through relays which do things that break the message in route to their final destination. The email RFCs say that the From: header is suppose to indicate the author of the message, and the minor modifications along the way done by the relays does not invalidate who the author is, so the From should be retain. Basically, this means that those domains that use DMARC, especially at the higher levels, should not use those types of relays, which makes some sense for the original intent of DMARC. -- Richard Damon
Validation DMARC
Hi when validating DMARC, it use the envelop address, or use from address from the header? Thanks