Am I interpreting this correctly -- that Yahoo's implementation of
DMARC is broken, such that anyone using a Yahoo address to participate
in a mailing list is dead in the water?
Yes. It seems that Yahoo wasn't content with just breaking Flickr [1]
but decided to branch out into email as well. John Levine's comments
(in the first link you provided) have been, I think, the most articulate
on the subject.
The worst part of this is (a) it creates massive problems for everyone
running mailing lists and (b) it doesn't solve any problems for anybody,
including Yahoo and its users.
Mitigation tactics vary, but one is to put everyone using a yahoo.com
address on moderation, using whatever mechanism the mailing list manager
(e.g. Mailman, majordomo, etc.) provides. Another is to encourage people
with Yahoo accounts to move elsewhere.
(There's nothing "wrong" with DMARC, per se, although I remain somewhat
skeptical about its widespread/long-term utility. What's "wrong" here
is that it's been badly misapplied to a use case that it doesn't fit.
To borrow a line from Zathras, "This...is wrong tool.")
Ugly. Confirmed across a variety of Mailman lists I administer.
Harvested addresses from the bounce logs, scripted up a notification to
small batches of addresses and moderated all @yahoo! addresses on the lists.
Rather, Yahoo has made a very conscious policy decision. So the "such that" clause of your sentence is correct. That is, the effect really is what you describe. But it's the result of an informed corporate choice rather than software or operations error.
From background exchanges and Yahoo participation in the development of DMARC, I believe they fully understood the technical and operations effects of the decision.
Whether it is the 'right' choice is primarily a political debate, and I'm not commenting on that.
In article <5345831B.4030705@dcrocker.net> you write:
Am I interpreting this correctly -- that Yahoo's implementation of
DMARC is broken, such that anyone using a Yahoo address to participate
in a mailing list is dead in the water?
Their implementation is not 'broken'.
I'd say it's pretty badly broken if Yahoo intends for their web mail
to continue to be a general purpose mail system for consumers. If
they want to make it something else, that's certainly their right, but
it would have been nice if they'd given us some advance warning so we
could take the yahoo.com addresses off our lists.
Meh. This just means list software will have to rewrite the From
header to "From: John Levine <nanog@nanog.org>" and rely on the
Reply-To header for anybody who wants to send a message back to the
originator.
Maybe this is a good thing - we can stop getting all the "sorry I'm
out of the office" emails when posting to a list.
The sort of programmer that writes out-of-mind software that doesn't
employ the long well-known heuristics for detecting mailing lists
(starting with checking Return-Path: for "owner-" and similar) will also
likely disregard the Reply-To: header. This Is Not A Good Thing.
Q: I operate a mailing list and I want to interoperate with DMARC, what
should I do?
DMARC introduces the concept of aligned identifiers. It means the domain
in the from header must match the d= in the DKIM signature and the domain
in the mail from envelope.
1: operate as a strict forwarder, where the message is not changed and
the validity of the DKIM signature is preserved
2: introduce an "Original Authentication Results" header to indicate
you have performed the authentication and you are validating it
3: take ownership of the email, by removing the DKIM signature and
putting your own as well as changing the from header in the email to
contain an email address within your mailing list domain.
Option 1 is out of the question. Option 3 is what a lot of people are
starting to do. Can anybody tell me what exactly option 2 is.
What exactly is an "Original Authentication Results" header?
I'm already doing my own research but if someone can give a concise answer
as to what it is that would be appreciated.
I'd say it's pretty badly broken if Yahoo intends for their web mail
to continue to be a general purpose mail system for consumers. If
they want to make it something else, that's certainly their right, but
it would have been nice if they'd given us some advance warning so we
could take the yahoo.com addresses off our lists.
Meh. This just means list software will have to rewrite the From
header to "From: John Levine <nanog@nanog.org>" and rely on the
Reply-To header for anybody who wants to send a message back to the
originator.
Or perhaps DMARC can go back to it's original goal.
Maybe this is a good thing - we can stop getting all the "sorry I'm
out of the office" emails when posting to a list.
The OoO problem is a Client/MUA problem. Most (other than Lotus
Notes, and some older copies of Outlook) properly tag OoO emails with
well-defined headers (RFC 3834).
The most "sane" out-of-mind response should only be sent *if* the
out-of-mind person is named explicitly as a recipient in the RFC822
header. Anything To: somelist@somehost does not qualify
The most "sane" out-of-mind response should only be sent *if* the
out-of-mind person is named explicitly as a recipient in the RFC822
header. Anything To: somelist@somehost does not qualify
Funny story: When I was at IBM I filed that as a bug with Lotus
Notes. The Notes team rejected the bug.
Because *I* set the out-of-office notification for my email
address[es]. If I'm not in the recipient list, do not respond. This is
a "per user" knob we are talking about here, so it knows darn well what
address[es] are me.
The most "sane" out-of-mind response should only be sent *if* the
out-of-mind person is named explicitly as a recipient in the RFC822
To: header. Anything To: somelist@somehost does not qualify
This highly effective trick was in the procmail example vacation script in 1991, and doubtless goes back much farther than that. It's a little dismaying to hear that there are still people writing autoresponders who don't know about it.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
2: introduce an "Original Authentication Results" header to indicate
you have performed the authentication and you are validating it
This was someone's hack that doesn't work. The idea is that you make an RFC5451 Authentication-Results header for the incoming message, change the name to original-authentication-results to circumvent some MTAs that strip incoming A-R headers, and send it as part of the signed outgoing message.
The reason it doesn't work is that spammers can add fake o-a-r headers as easily as lists can add real ones, so you need to make a whitelist of well behaved senders who don't send faked mail so you know whether to believe them. But once you have the whitelist of well behaved senders, you can skip the o-a-r stuff and just deliver the mail.
I gather somewhere there is a private non-standard bilateral implementation of this, but it still seems like an awfully complicated way to do your spam filtering.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
This highly effective trick was in the procmail example vacation script in
1991, and doubtless goes back much farther than that. It's a little
dismaying to hear that there are still people writing autoresponders who
don't know about it.
what is procmail?
The scriptable mail delivery agent that most Unix-ish systems use to sort mail at delivery time. It's a marvel of robust programming, no updates since 2001 but still works great.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly