[dmarc-discuss] DMARC thwarted already?

Al Iverson aiverson at spamresource.com
Thu Jun 5 11:26:57 PDT 2014


And also, do recognize that DMARC is only one part of the badness
prevention equation, it doesn't cover ever single eventuality. It
locks one door, not all doors, no? I'd be curious about that "left off
the domain" one; if an ISP were already rejecting mail from domains
that don't resolve, I doubt it would have been delivered.

Cheers,
Al Iverson

On Thu, Jun 5, 2014 at 12:37 PM, Les Barstow via dmarc-discuss
<dmarc-discuss at dmarc.org> wrote:
> I missed a few buy-in requirements for a full fix: updating a significant portion of the MUA user base, and updating installed mailing list and MTA software. (I.e buy-in from the Internet e-mail admin and user community.)
>
> -----Original Message-----
> From: Les Barstow
> Sent: Thursday, June 05, 2014 11:34 AM
> To: dmarc-discuss at dmarc.org
> Subject: RE: [dmarc-discuss] DMARC thwarted already?
>
> Mailing list display in MUAs has been broken / inconsistent for a long time. DMARC enforcement and workarounds are simply adding more fun to the mix IMHO.
>
> I think we're far enough along in the development of email solutions now (MUA address display, mailing list altering and resending of messages, SPF and DKIM interactions with resenders, DMARC enforcement of friendly from alignment...) that an honest person sitting back at a distance can blame every single one of these protocols and/or implementations for some portion of the problem we're seeing come together with DMARC enforcement and phishing attacks.
>
> Straightening it out "the right way" probably involves some combination of revisiting the definitions of the various From/Sender fields, compliance to those definitions within the DMARC spec, some kind of resender resign mechanism, and buy-in from MUA, mailing list, and MTA software providers.
>
> Anyone want to gamble on whether we could get everyone together and work out a real solution with those kinds of requirements? No? So we continue to look at band-aids.
>
> --
> Les Barstow
>
> -----Original Message-----
> From: dmarc-discuss [mailto:dmarc-discuss-bounces at dmarc.org] On Behalf Of Shal Farley via dmarc-discuss
> Sent: Thursday, June 05, 2014 11:02 AM
> To: Larry Finch
> Cc: dmarc-discuss
> Subject: Re: [dmarc-discuss] DMARC thwarted already?
>
> Larry wrote:
>
>> The other was sent to a Yahoo Groups list. As Yahoo Groups has their
>> own workaround this worked.
>
> Notably, Yahoo Groups' workaround is essentially suggestion 3B from the DMARC FAQ item "I operate a mailing list and I want to interoperate with DMARC, what should I do?"
> http://dmarc.org/faq.html#s_3
>
> For details see "DMARC-related changes in Yahoo Groups"
> http://yahoogroups.tumblr.com/post/85163779041/dmarc-related-changes-in-yahoo-groups
>
> The difficulty that has been plaguing Yahoo Groups members (and moderators) ever since that change is that a) some MUAs show only the display name part of the header From field; b) some show only the address part; and c) some show a name looked up from the user's address book. So everyone's experience is different, and rampant confusion has ensued.
>
> The problem in case (a) is exactly what you're talking about - the recipient sees only that the message "came from" the named person. Case (b) causes the opposite problem, the recipient can't tell which list member sent the message, and that's frustrating. Case (c) causes confusion, as the MUAs tend to default to case (a) when the group's address is not in the address book - so a recipient who is a member of multiple groups gets an apparently (to them) arbitrary selection of behaviors.
>
> In other words, it has been a rolling nightmare for group moderators as Yahoo chases workarounds to the workaround. Their first roll-out was suggestion 3A, but that caused immense backlash because so many replies that were intended to be private were instead sent to group posting address. So within two or three days they updated that to 3B. But 3B still leaves holes caused by MUAs that don't implement the Reply-To field.
>
> "Enhancements to email handling"
> http://yahoogroups.tumblr.com/post/87672106001/enhancements-to-email-handling
>
> To mangle a metaphor, DMARC broke it but instead of owning it they've averted their eyes while everyone else injures themselves on the shards of broken pottery strewn about.
>
> -- Shal
>
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss at dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
>
> _______________________________________________
> dmarc-discuss mailing list
> dmarc-discuss at dmarc.org
> http://www.dmarc.org/mailman/listinfo/dmarc-discuss
>
> NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)



-- 
Al Iverson | Chicago, IL | (312) 725-0130
Twitter: @aliverson / www.spamresource.com



More information about the dmarc-discuss mailing list