The mailing list for listmasters using Sympa

[Matthew Caron <address@concealed>]

Hey, thanks Steve! I've been doing embedded for the past 9 years, so DMARC 
wasn't a thing back when I was still doing servers professionally. Thanks for 
filling in those holes.

On May 26, 2016 6:31:24 PM EDT, Steve Shipway <address@concealed> 
wrote:
>> Short answer: Because it has to, else things will bounce.
>
>As Matthew (very amusingly) explained ( I will probably steal that for
>use
>elsewhere :) )
>
>There's a bit more to it, as well.  Some technical blah follows:
>
>The SMTP standards were originally written to account for this problem,
>using the special 'Sender' header to handle the 'secretary scenario' --
>where someone (eg, Sympa, or Sharon the secretary) sends a message on
>your
>behalf (eg, because you're using a mailing list, or because you're too
>thick^Wimportant to operate email).  In these cases, the SPF rules
>should
>verify the 'envelope sender' and the PRA (IE, the Sender rather than
>the
>From) and all would still be well.  DKIM digital signatures could be
>placed
>for either domain, so no problem signing it with the secretary domain
>and
>stripping the digital signature from the original From person.  Note
>that
>and From-domain DKIM signatures had to be stripped, as mailinglists
>modify
>the message content (by adding footers, tagging subject lines, etc),
>making
>them invalid.
>
>Then along came the abysmally written DMARC standard, which specified
>that
>not only must a DKIM signature exist, but also that it has to
>correspond to
>the domain in the From header, regardless of if there is a Sender
>header
>present (SPF was fine because it used the envelope sender, which was
>already
>replaced by the secretary address, and the PRA).  To make it even
>worse, the
>DMARC protocol specifies what to do with failing messages, and the
>default
>is 'drop'.
>
>This meant that all mailing lists broke for domains with DMARC records,
>as
>they could not provide a valid DKIM signature for the From domain (only
>for
>the secretary domain), and the old trick of simply stripping the old
>invalid
>one would no longer work.
>
>As a result, mailing lists like Sympa are forced to use the DMARC
>Protection
>method, which involves breaking the original SMTP Standards and setting
>the
>From header to be some form of the mailinglist domain rather than the
>original one.
>
>Steve
>
>Steve Shipway
>T: +64 9 3737 599 ext 86487
>E: address@concealed

-- 
"To compel a man to furnish funds for the propagation of ideas he
disbelieves and abhors is sinful and tyrannical."
- Thomas Jefferson, _A Bill For Establishing Religious Freedom_
PGP Key: http://www.mattcaron.net/pgp_key.txt
~~ Matt Caron ~~