Developers of Sympa

["John Levine" <address@concealed>]

As you may have noticed, the DMARC mail security scheme screwed up mailing
lists, forcing ugly workarounds like putting the list address on the From
line so you can't tell who sent each message.  Then they invented ARC,
which was supposed to help lists deal with DMARC but turned out not to be
useful for reasons I can discuss if you want.

The DMARC problem is due to the fact that DMARC wants senders to put a DKIM
signature on the mail, but when lists make normal changes to messages it
invalidates the DKIM signature.  It turns out that's not the only problem
with DMARC and DKIM, e.g., it allows replay attacks, in which someone sends 
himself
a message that passes DMARC and DKIM and then spams out a zillion copies to
other people.

Rather than put another band-aid (sticking plaster) on DMARC, we have a
new propsal to fix DKIM, described here:

https://datatracker.ietf.org/doc/draft-gondwana-dkim2-motivation/

For mailing lists, it will define an algebra the list can put in the
message header describing what changes it made to the message.  This lets
the recipient reconstruct the original message and validate the original
DKIM2 signature, and accept the message if so.  We're reasonably sure this
will work if list software can describe the modifications they made.  (The
draft describing the algebra in detail will be out on Monday.)

Take a look and see if you think this is workable.  If so, there'll probably
be money to pay someone to do the necessary changes to list software.  It
might be me, since I did the ARC code for Sympa.

Regards,
John Levine, address@concealed, Primary Perpetrator of "The Internet for 
Dummies",
Please consider the environment before reading this e-mail. https://jl.ly