[dmarc-discuss] mailing lists, was SPF pass / fail

Scott Kitterman sklist at kitterman.com
Mon Mar 5 09:54:27 PST 2012 

On Monday, March 05, 2012 12:34:54 PM Jim Popovitch wrote:
> On Mon, Mar 5, 2012 at 12:27 PM, Al Iverson <aiverson at spamresource.com> 
wrote:
> > On Mon, Mar 5, 2012 at 11:12 AM, Franck Martin <fmartin at linkedin.com> 
wrote:
> >> The FAQ explores that question.
> > 
> > Yeah, it does contain some pretty explicit suggestions. From
> > http://dmarc.org/faq.html
> > 
> > I operate a mailing list, what should I do?
> > DMARC introduces the concept of aligned identifiers. It means the
> > domain in the from header must match the d= in the DKIM signature and
> > the domain in the mail from envelope.
> > You have a few solutions:
> > 
> > - operate as a strict forwarder, where the message is not changed and
> > the validity of the DKIM signature is preserved
> > - introduce an "Original Authentication Results" header to indicate
> > you have performed the authentication and you are validating it
> > - take ownership of the email, by removing the DKIM signature and
> > putting your own as well as changing the from header in the email to
> > contain an email address within your mailing list domain.
> 
> I challenge everyone reading this to identify a mailinglist that will
> be on board with implementing those suggestions.   To be clear, I
> hereby assert that NO reasonably utilized mailinglist will make those
> changes, in fact I think they will laugh at the suggestions (if they
> haven't already).

Independent of DMARC, mailing lists adding their own DKIM signature is a good 
idea, but that won't change DMARC failures in any way since it will be a DKIM 
signature with the list's domain, not the senders.

In order for "Original Authentication Results" to be of any value, a receiver 
needs to decide that it trusts the list that wrote the header.  If they've 
decided that, they may as well just white list them.  I see no additional 
advantage associated with the header field.

Virtually no mailing lists restrict modification to changes that won't break a 
DKIM signature.  I don't see that changing.

>From an email architecture perspective, I think the both email lists and 
transparent forwarders (e.g. courtesy alumni.example.edu forwards) are agents 
of the receiver (you have to sign up to get the mail) and so it's up to 
receivers to figure out they trust these actors.  I don't think any general 
authentication technology can automate this process away.

Scott K

More information about the dmarc-discuss mailing list