From matt at dns-oarc.net Sun Mar 31 21:16:27 2019 From: matt at dns-oarc.net (Matthew Pounsett) Date: Sun, 31 Mar 2019 17:16:27 -0400 Subject: [Collisions] Mailing List Behaviour Change Message-ID: <283E054B-5F4F-4583-8058-733219465CB4@dns-oarc.net> This message is crossposted to multiple lists. Apologies to those who see it more than once. DNS-OARC administrates many public mailing lists in the DNS operations space. Beginning on Wednesday, April 3, 2019 at approximately 20:00 UTC, OARC will change the way all mailing lists handle mail from subscribers in DMARC-protected domains. For any such email with a 'reject' or 'quarantine' policy, we will begin wrapping the message in a new email with From and Reply-To headers set to the list address. This is required to prevent email from DMARC-protected domains being bounced by destination mail servers. Wrapping messages in this way may be counter to some expectations, such as where replies will be sent, and in some cases may affect your ability to validate cryptographically signed email. For any issues with this change in configuration, please contact . Background and Detail --------------------- DMARC is a mail authentication standard designed to give domain owners the ability to prevent their domain from being used to forge From addresses in spam messages. It is a useful tool for this purpose, but breaks many of the long established mailing list norms, standards, and behaviours. Among these is the normal expectation that mail sent from one subscriber, through the list, and received by another subscriber, will appear to be from the original subscriber. Email from a DMARC-protected domain with a strict rejection policy, sent through a typical mailing list (which does not modify the From header), and received by a mail server with strict DMARC validation settings, is frequently bounced or quarantined. For example, sites like Gmail and Yahoo! both use strict validation, and will bounce any list messages they receive forwarded from domains with rejection policies in their DMARC settings. Our mailing lists have never had any special handling for email sourced from DMARC-protected mail domains; we have had few subscribers whose domains have set strict rejection or quarantine rules in their DMARC policies. Recently, we have begun to see an influx of messages from domains with 'reject' policies in their DMARC configuration, and these messages are being bounced by recipient mail services which employ strict DMARC validation. In the last few days, these bounces have reached a level that resulted in mailman's bounce processing automatically removing a small number of users from some mailing lists. Unfortunately, there is no way to single out DMARC bounces and have the bounce processor disregard them. We are taking the action of wrapping mail from DMARC-protected domains because we believe it is the least disruptive option for the lists we maintain. This is one of two standard ways of dealing with DMARC-protected email on mailing lists, the other being to simply rewrite the From and Reply-to headers of the original mail. We chose wrapping the messages instead of rewriting their headers because rewriting breaks cryptographic validation of messages in nearly all cases. We would like to thank the spammers and phishers for another complex, awkward hack on a well established protocol. References ---------- For a general description of DMARC, please see the Wikipedia page at: For more detail on DMARC, the protocol has a web site at . And for technical details on the wrapping of list messages by mailman, please see the documentation for mailman 2.1.18 and later at . Matt Pounsett DNS-OARC Systems Engineering -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: Message signed with OpenPGP URL: