[dns-operations] Mailing List Behaviour Change

Matthew Pounsett matt at dns-oarc.net
Sun Mar 31 21:16:27 UTC 2019


This message is crossposted to multiple lists. Apologies to those who see it
more than once.

DNS-OARC administrates many public mailing lists in the DNS operations space.
Beginning on Wednesday, April 3, 2019 at approximately 20:00 UTC, OARC will
change the way all mailing lists handle mail from subscribers in
DMARC-protected domains.  For any such email with a 'reject' or 'quarantine'
policy, we will begin wrapping the message in a new email with From and
Reply-To headers set to the list address.  This is required to prevent email
from DMARC-protected domains being bounced by destination mail servers.

Wrapping messages in this way may be counter to some expectations, such as
where replies will be sent, and in some cases may affect your ability to
validate cryptographically signed email.

For any issues with this change in configuration, please contact
<admin at dns-oarc.net>.


Background and Detail
---------------------

DMARC is a mail authentication standard designed to give domain owners the
ability to prevent their domain from being used to forge From addresses in
spam messages.  It is a useful tool for this purpose, but breaks many of the
long established mailing list norms, standards, and behaviours.  Among these
is the normal expectation that mail sent from one subscriber, through the
list, and received by another subscriber, will appear to be from the original
subscriber.

Email from a DMARC-protected domain with a strict rejection policy, sent
through a typical mailing list (which does not modify the From header), and
received by a mail server with strict DMARC validation settings, is frequently
bounced or quarantined.  For example, sites like Gmail and Yahoo! both use
strict validation, and will bounce any list messages they receive forwarded
from domains with rejection policies in their DMARC settings.

Our mailing lists have never had any special handling for email sourced from
DMARC-protected mail domains; we have had few subscribers whose domains have
set strict rejection or quarantine rules in their DMARC policies.  Recently,
we have begun to see an influx of messages from domains with 'reject' policies
in their DMARC configuration, and these messages are being bounced by
recipient mail services which employ strict DMARC validation.

In the last few days, these bounces have reached a level that resulted in
mailman's bounce processing automatically removing a small number of users
from some mailing lists.  Unfortunately, there is no way to single out DMARC
bounces and have the bounce processor disregard them.

We are taking the action of wrapping mail from DMARC-protected domains because
we believe it is the least disruptive option for the lists we maintain.  This
is one of two standard ways of dealing with DMARC-protected email on mailing
lists, the other being to simply rewrite the From and Reply-to headers of the
original mail.  We chose wrapping the messages instead of rewriting their
headers because rewriting breaks cryptographic validation of messages in
nearly all cases.

We would like to thank the spammers and phishers for another complex, awkward
hack on a well established protocol.


References
----------

For a general description of DMARC, please see the Wikipedia page at:
<https://en.wikipedia.org/wiki/DMARC>

For more detail on DMARC, the protocol has a web site at <https://dmarc.org/>.

And for technical details on the wrapping of list messages by mailman, please
see the documentation for mailman 2.1.18 and later at
<https://wiki.list.org/DEV/DMARC>.


Matt Pounsett
DNS-OARC Systems Engineering



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190331/7a50e4b2/attachment.sig>


More information about the dns-operations mailing list