Validation DMARC

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Validation DMARC

Wesley Peng-4
Hi

when validating DMARC, it use the envelop address, or use from address from the header? Thanks 


Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Richard Damon
On 11/22/19 7:12 PM, Wesley Peng wrote:
> Hi
>
> when validating DMARC, it use the envelop address, or use from address
> from the header? Thanks 
>
DMARC specifically says that validation is to be based on the From:
Header of the message (which is different than how SPF and DKIM work by
themselves).

This is what gives DMARC issues with some uses of emails when messages
pass through relays which do things that break the message in route to
their final destination. The email RFCs say that the From: header is
suppose to indicate the author of the message, and the minor
modifications along the way done by the relays does not invalidate who
the author is, so the From should be retain.

Basically, this means that those domains that use DMARC, especially at
the higher levels, should not use those types of relays, which makes
some sense for the original intent of DMARC.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Roland Freikamp
In reply to this post by Wesley Peng-4
Hi,

> when validating DMARC, it use the envelop address, or use from address from the header?
it unfortunately uses the from-header.
(If it would use the envelope address, it would not cause that much
problems.)

Or in short: DMARC intentionally breaks every mailinglist and every mail-forwarding.
So, if a mail-provider uses a strict DMARC-policy, it effectively
says: "Our mail-addresses may not be used for mailinglists."

The cleanest solution for mailinglists would be to reject mails from
such adresses. (Spoofing the From-header by removing the authors address
and replacing it by the lists address, and so hiding the original author,
could of course also be done, but is not really a good solution.)

Roland

Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Wesley Peng-4
Google groups replace the from: with their group address. What I know the big providers having strict DMARC setting are:

mail.ru
laposte.net

I am glad the more large providers like gmail, outlook don’t have this stupid setting.

Regards

On Sat, Nov 23, 2019, at 5:13 PM, Roland Köbler wrote:
Hi,

> when validating DMARC, it use the envelop address, or use from address from the header?
it unfortunately uses the from-header.
(If it would use the envelope address, it would not cause that much
problems.)

Or in short: DMARC intentionally breaks every mailinglist and every mail-forwarding.
So, if a mail-provider uses a strict DMARC-policy, it effectively
says: "Our mail-addresses may not be used for mailinglists."

The cleanest solution for mailinglists would be to reject mails from
such adresses. (Spoofing the From-header by removing the authors address
and replacing it by the lists address, and so hiding the original author,
could of course also be done, but is not really a good solution.)

Roland



Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Dominic Raferd
In reply to this post by Roland Freikamp


On Sat, 23 Nov 2019 at 09:14, Roland Köbler <[hidden email]> wrote:
Hi,

> when validating DMARC, it use the envelop address, or use from address from the header?
it unfortunately uses the from-header.
(If it would use the envelope address, it would not cause that much
problems.)

Or in short: DMARC intentionally breaks every mailinglist and every mail-forwarding.
So, if a mail-provider uses a strict DMARC-policy, it effectively
says: "Our mail-addresses may not be used for mailinglists."

DMARC's focus on the From header is absolutely correct because it is about stopping forging. And it is simply untrue that DMARC breaks all mailing lists nor that it breaks all mail forwarding.

I realise a lot of people on mailing lists about email have a downer on DMARC because depending on (a) the implementation of DKIM by the sender's domain controller and (b) on the setup of the mailing list it can - but often doesn't - cause problems. But it is a very powerful tool for preventing forging of emails. Domain controllers who are not bothered about forging of emails from their domain are not obliged to use it.
Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Jaroslaw Rafa
In reply to this post by Wesley Peng-4
Dnia 23.11.2019 o godz. 17:19:53 Wesley Peng pisze:
> Google groups replace the from: with their group address.

I have never seen it and I'm subscribed to many Google-based mailing lists.
They replace the envelope from address (like almost every mailing list
server does), but keep the original From: header.

Replacing the From: header would be a very bad idea, as - at it was already
written - this header indicates the author of the message, and the author is
a particular sender writing to the list, and not the list itself.

Would you really like to see in your mail client a whole thread of messages
from a mailing list, every each of them having "From:" address as the list's
address? What would you do if you need to quickly find a message written by
a particular person (for example, you) in this conversation?
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Wesley Peng-4
Hello

if you have used a mail.ru email for google groups, when you posted message to group, it will replace From header with the list address.


On Sat, Nov 23, 2019, at 6:43 PM, Jaroslaw Rafa wrote:
Dnia 23.11.2019 o godz. 17:19:53 Wesley Peng pisze:
> Google groups replace the from: with their group address.

I have never seen it and I'm subscribed to many Google-based mailing lists.
They replace the envelope from address (like almost every mailing list
server does), but keep the original From: header.

Replacing the From: header would be a very bad idea, as - at it was already
written - this header indicates the author of the message, and the author is
a particular sender writing to the list, and not the list itself.

Would you really like to see in your mail client a whole thread of messages
from a mailing list, every each of them having "From:" address as the list's
address? What would you do if you need to quickly find a message written by
a particular person (for example, you) in this conversation?
-- 
Regards,
   Jaroslaw Rafa
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."


Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Jaroslaw Rafa
Dnia 23.11.2019 o godz. 19:10:51 Wesley Peng pisze:
>
> if you have used a mail.ru email for google groups, when you posted
> message to group, it will replace From header with the list address.

Does it re-sign the message then? Because replacing the From: header would
break DKIM, as this header is always signed...
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Wesley Peng-4
I’m not sure , you may refer this discussion,



On Sat, Nov 23, 2019, at 7:23 PM, Jaroslaw Rafa wrote:
Dnia 23.11.2019 o godz. 19:10:51 Wesley Peng pisze:

> if you have used a mail.ru email for google groups, when you posted
> message to group, it will replace From header with the list address.

Does it re-sign the message then? Because replacing the From: header would
break DKIM, as this header is always signed...
-- 
Regards,
   Jaroslaw Rafa
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."


Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Richard Damon
In reply to this post by Dominic Raferd
On 11/23/19 4:26 AM, Dominic Raferd wrote:

>
>
> On Sat, 23 Nov 2019 at 09:14, Roland Köbler
> <[hidden email] <mailto:[hidden email]>>
> wrote:
>
>     Hi,
>
>     > when validating DMARC, it use the envelop address, or use from
>     address from the header?
>     it unfortunately uses the from-header.
>     (If it would use the envelope address, it would not cause that much
>     problems.)
>
>     Or in short: DMARC intentionally breaks every mailinglist and
>     every mail-forwarding.
>     So, if a mail-provider uses a strict DMARC-policy, it effectively
>     says: "Our mail-addresses may not be used for mailinglists."
>
>
> DMARC's focus on the From header is absolutely correct because it is
> about stopping forging. And it is simply untrue that DMARC breaks all
> mailing lists nor that it breaks all mail forwarding.
>
> I realise a lot of people on mailing lists about email have a downer
> on DMARC because depending on (a) the implementation of DKIM by the
> sender's domain controller and (b) on the setup of the mailing list it
> can - but often doesn't - cause problems. But it is a very powerful
> tool for preventing forging of emails. Domain controllers who are not
> bothered about forging of emails from their domain are not obliged to
> use it.

Many Mailinglist will break under DMARC as in many jurisdictions they
appear to fall under regulations that are designed for commercial
mailings, which include a requirement that all messages have a clearly
spelled out method to unsubscribe from that list. The standard solution
is to add a footer to the message with that information, which thus
break the DKIM signature, since under DMARC both SPF and DKIM are based
on the From: header of the message, the list is unable to distribute
messages from domains with strict DMARC as their From, even though that
is what a plain reading of the EMail RFC would require (The mailing list
has NOT become the author by a mechanical editing of the message).

The DMARC group admits that this is a problem, but their main solution
is to just tell all mailing list that they need to change the From of
messages to be the list so their method can be used. This causes lots of
problems, the real answer is that DMARC is not suitable for general mail
providers. It is really intended to be used by Institutions that do
transactional email, and those users don't need to use mailing lists.

Note, the problem is that DMARC for general email has an incredably high
false positive rate, what would you think if your mail provider adopted
a spam filter that declared 20% of your legitimate email as spam and
just discarded it. This is not a bad equivalent to the providers using a
method that declares mailinglist using the traditional methods that have
been used for decades as 'forgers'.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Richard Damon
In reply to this post by Roland Freikamp
On 11/23/19 4:13 AM, Roland Köbler wrote:

> Hi,
>
>> when validating DMARC, it use the envelop address, or use from address from the header?
> it unfortunately uses the from-header.
> (If it would use the envelope address, it would not cause that much
> problems.)
>
> Or in short: DMARC intentionally breaks every mailinglist and every mail-forwarding.
> So, if a mail-provider uses a strict DMARC-policy, it effectively
> says: "Our mail-addresses may not be used for mailinglists."
>
> The cleanest solution for mailinglists would be to reject mails from
> such adresses. (Spoofing the From-header by removing the authors address
> and replacing it by the lists address, and so hiding the original author,
> could of course also be done, but is not really a good solution.)
>
> Roland
>
When Yahoo first implemented this many years ago, and caused massive
disruption to the mailing list community, that WAS one of the proposed
solutions, put yahoo.com on the 'can not post' list, but it realized
that it wouldn't really hurt yahoo, only some of its subscribers. It
might cause some members to leave Yahoo, but unlikely enough to really
matter to them, and might drive more traffic to Yahoo Groups (which at
the time was making them money, and got around the problem because it
was part of Yahoo).

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Ralph Seichter-2
In reply to this post by Roland Freikamp
* Roland Köbler:

> Or in short: DMARC intentionally breaks every mailinglist and every
> mail-forwarding.

I doubt that it is broken "intentionally". ;-)

  "[Ich habe] gefunden, daß Mißverständnisse und Trägheit vielleicht
  mehr Irrungen in der Welt machen als List und Bosheit. Wenigstens sind
  die beiden letzteren gewiß seltener." (J.W.v.Goethe, Die Leiden des
  jungen Werther, 1771)

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Richard Damon
On 11/23/19 12:30 PM, Ralph Seichter wrote:

> * Roland Köbler:
>
>> Or in short: DMARC intentionally breaks every mailinglist and every
>> mail-forwarding.
> I doubt that it is broken "intentionally". ;-)
>
>   "[Ich habe] gefunden, daß Mißverständnisse und Trägheit vielleicht
>   mehr Irrungen in der Welt machen als List und Bosheit. Wenigstens sind
>   die beiden letzteren gewiß seltener." (J.W.v.Goethe, Die Leiden des
>   jungen Werther, 1771)
>
> -Ralph
>
They likely didn't go in with the thought that they needed something
that broke mailing lists, (and full DMARC doesn't break simple
forwarding, as thd DKIM signature should survive still matching), but in
the development of it, they did realize that DMARC would break emails
from many standardly run mailing lists. Initially this was ok, as the
initial types of messages that they were trying to protect wouldn't go
though such systems. There were attempts to figure out how to improve
the system so that it would work more generally and be usable for the
wider usage, but that didn't pan out.

It was only the adoption of the system by Yahoo and AOL (without
informing their users of the consequences), and then them telling
mailing list operators that the mailing lists had to deal with the
damage, as they needed to adopt this for 'reasons'.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Chris Wedgwood
In reply to this post by Roland Freikamp
> Or in short: DMARC intentionally breaks every mailinglist and every
> mail-forwarding.  So, if a mail-provider uses a strict DMARC-policy,
> it effectively says: "Our mail-addresses may not be used for
> mailinglists."

this message (i am replying to) from you on this mailing list is not
broken
Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Richard Damon
On 11/24/19 3:12 PM, Chris Wedgwood wrote:
>> Or in short: DMARC intentionally breaks every mailinglist and every
>> mail-forwarding.  So, if a mail-provider uses a strict DMARC-policy,
>> it effectively says: "Our mail-addresses may not be used for
>> mailinglists."
> this message (i am replying to) from you on this mailing list is not
> broken
>
This list is somewhat unusual in that it doesn't include a footer with
list instructions, nor does it add a subject identifier to quickly
identify that the message comes from this list.

My guess is that two things are likely true:

1) This list is not run in a locality that requires obvious
unsubscription instructions, or that it has been decided that the
List-Unsubscribe header is good enough to meet that requirement

2) It is presumed that subscribers to this list are competent enough to
not need to be reminded about operating instructions. (This list's
subject matter is fairly technical, so not apt to draw less technically
adept subscribers).

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Wesley Peng-4
In reply to this post by Chris Wedgwood
Why it doesn’t break From: header SPF? Just curious 

On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote:
> Or in short: DMARC intentionally breaks every mailinglist and every
> mail-forwarding.  So, if a mail-provider uses a strict DMARC-policy,
> it effectively says: "Our mail-addresses may not be used for
> mailinglists."

this message (i am replying to) from you on this mailing list is not
broken

Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Ralph Seichter-2
* Wesley Peng:

> Why it doesn’t break From: header SPF? Just curious

See https://tools.ietf.org/html/rfc7208, in particular the "MAIL FROM
Definition" section.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Richard Damon
In reply to this post by Wesley Peng-4
On 11/24/19 6:21 PM, Wesley Peng wrote:

> Why it doesn’t break From: header SPF? Just curious 
>
> On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote:
>> > Or in short: DMARC intentionally breaks every mailinglist and every
>> > mail-forwarding.  So, if a mail-provider uses a strict DMARC-policy,
>> > it effectively says: "Our mail-addresses may not be used for
>> > mailinglists."
>>
>> this message (i am replying to) from you on this mailing list is not
>> broken
>>
It DOES break DMARC/SPF, as the IP address the message comes from
doesn't match the From of the message, but with DMARC if EITHER SPF or
DKIM pass, the message is to be considered to pass.

A Domain with strict DMARC, and which doesn't DKIM sign messages, will
fail with any form of remailer, so would fail for this application.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Wesley Peng-4
That's great explation. Thanks Richard.

On Mon, Nov 25, 2019, at 7:33 AM, Richard Damon wrote:
On 11/24/19 6:21 PM, Wesley Peng wrote:
> Why it doesn’t break From: header SPF? Just curious 
>
> On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote:
>> > Or in short: DMARC intentionally breaks every mailinglist and every
>> > mail-forwarding.  So, if a mail-provider uses a strict DMARC-policy,
>> > it effectively says: "Our mail-addresses may not be used for
>> > mailinglists."
>>
>> this message (i am replying to) from you on this mailing list is not
>> broken
>>
It DOES break DMARC/SPF, as the IP address the message comes from
doesn't match the From of the message, but with DMARC if EITHER SPF or
DKIM pass, the message is to be considered to pass.

A Domain with strict DMARC, and which doesn't DKIM sign messages, will
fail with any form of remailer, so would fail for this application.

-- 
Richard Damon


Reply | Threaded
Open this post in threaded view
|

Re: Validation DMARC

Dominic Raferd
In reply to this post by Richard Damon


On Sun, 24 Nov 2019 at 23:34, Richard Damon <[hidden email]> wrote:
On 11/24/19 6:21 PM, Wesley Peng wrote:
> Why it doesn’t break From: header SPF? Just curious 
>
> On Mon, Nov 25, 2019, at 4:12 AM, Chris Wedgwood wrote:
>> > Or in short: DMARC intentionally breaks every mailinglist and every
>> > mail-forwarding.  So, if a mail-provider uses a strict DMARC-policy,
>> > it effectively says: "Our mail-addresses may not be used for
>> > mailinglists."
>>
>> this message (i am replying to) from you on this mailing list is not
>> broken
>>
It DOES break DMARC/SPF, as the IP address the message comes from
doesn't match the From of the message, but with DMARC if EITHER SPF or
DKIM pass, the message is to be considered to pass.

A Domain with strict DMARC, and which doesn't DKIM sign messages, will
fail with any form of remailer, so would fail for this application.

Anyone using DMARC with p=reject and without using DKIM signing is asking for trouble - this should never be done intentionally. I have seen it happen by mistake (usually by public bodies e.g. police, HMRC...).

Assuming the message is DKIM-signed (and the signing is only on the critical headers, as it normally is) then DMARC won't cause problems on this mailing list. For other mailing lists YMMV.

We have used DMARC with p=reject on domains for personal and business use for several years and have never had any rejections or 'false positives' as a result. I don't use such domains for posting to mailing lists, and no one else using our domains has ever tried to.