[mlmmj] Dealing with DMARC - any out-of-the-box solution in sight?

[mlmmj] Dealing with DMARC - any out-of-the-box solution in sight?

[Christian Lohmaier]

Hi *,

DMARC is in use by yahoo and others for a while, and gmail and others
already respect the settings, causing many bounces....

I wonder whether mlmmj will have some dmarc-compatible default soon or
how other mailinglist admins deal with the topic.

Disallow all mail from dmarc-policy using senders?
Forward only (no footers, no list-tag, no body filtering... - and no
real solution with some SPF)?
Just replace from-address by "John Doe via <list-addresss>"?
Replace From and add reply-to?
Replace From by forwarder-address?

What have other mailinglistadmins done?
And what is the suggestion by mlmmj-devs?

ciao
Christian

Re: [mlmmj] Dealing with DMARC - any out-of-the-box solution in sight?

[Yuri D'Elia]

On 05/21/2014 01:19 PM, Christian Lohmaier wrote:
> Hi *,
> 
> DMARC is in use by yahoo and others for a while, and gmail and others
> already respect the settings, causing many bounces....
> 
> I wonder whether mlmmj will have some dmarc-compatible default soon or
> how other mailinglist admins deal with the topic.
> 
> Disallow all mail from dmarc-policy using senders?
> Forward only (no footers, no list-tag, no body filtering... - and no
> real solution with some SPF)?
> Just replace from-address by "John Doe via <list-addresss>"?
> Replace From and add reply-to?
> Replace From by forwarder-address?
> 
> What have other mailinglistadmins done?
> And what is the suggestion by mlmmj-devs?

I'm currently removing DKIM and some obvious headers (using delheaders):

DKIM-Signature:
Return-Receipt-To:
Disposition-Notification-To:
X-Confirm-Reading-To:
X-PMRQC:

in order to bypass DKIM checks. It works if there's no DMARC, but I had
no bounces from gmail users either.

If I read the spec correctly, the only solution would be to replace
From: with the list header (or a forwarder under the list domain) and
add a Reply-To:. And of course, you cannot modify the body/subject if
DKIM is in use.

I don't like neither. The ability to choose reply-to-author/list is lost.

Also, AFAIK there's no way to construct a Reply-To: automatically from
the From: address in mlmmj.

[sigh]

I don't understand why the keep breaking mailing lists....
Though DMARC with SPF *only* seems reasonable enough, the biggest
players all seem to use DKIM as well.

Re: [mlmmj] Dealing with DMARC - any out-of-the-box solution in sight?

[Chris Knadle]

On Wednesday, May 21, 2014 13:19:58 Christian Lohmaier wrote:
> Hi *,
> 
> DMARC is in use by yahoo and others for a while, and gmail and others
> already respect the settings, causing many bounces....
> 
> I wonder whether mlmmj will have some dmarc-compatible default soon or
> how other mailinglist admins deal with the topic.

   http://www.ietf.org/mail-archive/web/ietf/current/msg87153.html

> Disallow all mail from dmarc-policy using senders?

Normally only the sending MTA would be looking up this information, and having 
mlmmj do this likely wouldn't make sense because there are already options 
that would allow doing this another way.

> Forward only (no footers, no list-tag, no body filtering... - and no
> real solution with some SPF)?

I don't think this is realistic.

> Just replace from-address by "John Doe via <list-addresss>"?
> Replace From and add reply-to?
> Replace From by forwarder-address?

These three area all possible to do in the MTA, but it's generally frowned 
upon because the MTA is not supposed to modify the message other than adding 
informational routing headers, and is never supposed to modify the body of the 
message.

Some mailing list software (such as DaDa Mail for one) have an option where 
the outbound sending email address is always that of the list, but modified 
with the senders name,
e.g. "Christian Lohmaier p.p. This Mailing List <list@lists.example.net>"
but this is a global setting and terribly ugly.

> What have other mailinglistadmins done?

So far I've heard list admins 'moderate' yahoo.com addresses so that those 
users cannot send mail through the list, or unsubscribe yahoo.com addresses.

> And what is the suggestion by mlmmj-devs?

Options I know of in mlmmj directly:

   - mlmmj has an 'access' tunable whereby you could make a rule to either
     deny, moderate, or hold mail from yahoo.com so that they cannot send

   - ask subscribers to sign up for the list using a mail service other
     than Yahoo.

The latter is what I have been doing, with explanation of the problem going on 
with Yahoo DMARC.

  -- Chris

--
Chris Knadle
Chris.Knadle@coredump.us

Re: [mlmmj] Dealing with DMARC - any out-of-the-box solution in sight?

[Chris Knadle]

On Wednesday, May 21, 2014 13:19:58 Christian Lohmaier wrote:
> Hi *,
> 
> DMARC is in use by yahoo and others for a while, and gmail and others
> already respect the settings, causing many bounces....
> 
> I wonder whether mlmmj will have some dmarc-compatible default soon or
> how other mailinglist admins deal with the topic.
> 
> Disallow all mail from dmarc-policy using senders?
> Forward only (no footers, no list-tag, no body filtering... - and no
> real solution with some SPF)?
> Just replace from-address by "John Doe via <list-addresss>"?
> Replace From and add reply-to?
> Replace From by forwarder-address?
> 
> What have other mailinglistadmins done?
> And what is the suggestion by mlmmj-devs?

DMARC suggests the following concerning mailing lists:

   http://dmarc.org/faq.html#s_3

essentially all of the suggestions break the standard way in which mailing 
lists operate.



This message has some other informational links:

   http://www.ietf.org/mail-archive/web/ietf/current/msg87171.html

  -- Chris

--
Chris Knadle
Chris.Knadle@coredump.us

Re: [mlmmj] Dealing with DMARC - any out-of-the-box solution in sight?

[Andreas Schulze]

Christian Lohmaier:

> I wonder whether mlmmj will have some dmarc-compatible default soon or
> how other mailinglist admins deal with the topic.
>
> Disallow all mail from dmarc-policy using senders?
no

> Forward only (no footers, no list-tag, no body filtering
yes

> Just replace from-address by "John Doe via <list-addresss>"?
no

> Replace From and add reply-to?
no

> Replace From by forwarder-address?
no

> What have other mailinglistadmins done?
I deal with spf, dkim & dmarc for years. I reduced my mailing-lists to  
handle it's main
purpose: deliver messages to a list of receivers and handle bounces.  
Not less but not more.

the current e-mail eco system enable everybody to choose a sender address.
That will not change. Receivers try to enforce authentication by spf  
or dkim combined to dmarc.
A message will pass the dmarc test if
   - received from SPF announced IP
OR
   - content matches DKIM signature

Listserver obviously will not match most SPF records. So the only  
option to pass the DMARC test is
to *NOT MODIFY THE CONTENT*

Yes, there are other options:
> Just replace from-address by "John Doe via <list-addresss>"?
That works too.
amavis-users  
(http://lists.amavis.org/cgi-bin/mailman/listinfo/amavis-users) is an  
example.

my private lists, postfix-users and most (all?) apache mailing-list  
are examples for *NOT MODIFY THE CONTENT*
They work very well.

If any listadmin like to operate a list NOW, it is possible with mlmmj  
(and mailman) by choosing
the *NOT MODIFY THE CONTENT* way. No code change is needed, no update  
required, no need to wait.
Simply reconfigure the list to *NOT MODIFY THE CONTENT* and tell the  
subscribers how to
filter messages by list-id header instead by Subject. Mission  
comleted, time for coffee.

# cut $LIST_HOME}/control/customheaders
List-Id: <testing.lists.example.org>
List-Post: <mailto:testing@lists.example.org>
List-Help: <mailto:testing+help@lists.example.org>
List-Subscribe: <mailto:testing+subscribe@lists.example.org>
List-Unsubscribe: <mailto:testing+unsubscribe@lists.example.org>
List-Owner: <mailto:testing+owner@lists.example.org>
Precedence: list

Ben, start with this list :-)

Andreas