The mailing list for listmasters using Sympa

[Steve Rich <address@concealed>]

>To make it even worse, the
>DMARC protocol specifies what to do with failing messages, and the default
>is 'drop'.

I don’t know that this part is necessarily true.  The policy for messages 
that fail dkim or spf is based on what is in DNS.  Possible options are none 
(very useful for reporting), quarantine (effectively interpreted as put it in 
junk), and reject (discard).  Some ISPs (I’m looking at you AOL and Yahoo) 
have a p=reject set.  Interesting note, Google decided that those 2 are kind 
of jerks and treat p=reject policies the same as p=quarantine.  The messages 
still end up in junk, but at least you get the message delivered.

Thanks,
Steve



On 5/26/16, 6:31 PM, "Steve Shipway" <address@concealed 
on behalf of address@concealed> wrote:

>> Short answer: Because it has to, else things will bounce.
>
>As Matthew (very amusingly) explained ( I will probably steal that for use
>elsewhere :) )
>
>There's a bit more to it, as well.  Some technical blah follows:
>
>The SMTP standards were originally written to account for this problem,
>using the special 'Sender' header to handle the 'secretary scenario' --
>where someone (eg, Sympa, or Sharon the secretary) sends a message on your
>behalf (eg, because you're using a mailing list, or because you're too
>thick^Wimportant to operate email).  In these cases, the SPF rules should
>verify the 'envelope sender' and the PRA (IE, the Sender rather than the
>From) and all would still be well.  DKIM digital signatures could be placed
>for either domain, so no problem signing it with the secretary domain and
>stripping the digital signature from the original From person.  Note that
>and From-domain DKIM signatures had to be stripped, as mailinglists modify
>the message content (by adding footers, tagging subject lines, etc), making
>them invalid.
>
>Then along came the abysmally written DMARC standard, which specified that
>not only must a DKIM signature exist, but also that it has to correspond to
>the domain in the From header, regardless of if there is a Sender header
>present (SPF was fine because it used the envelope sender, which was already
>replaced by the secretary address, and the PRA).  To make it even worse, the
>DMARC protocol specifies what to do with failing messages, and the default
>is 'drop'.
>
>This meant that all mailing lists broke for domains with DMARC records, as
>they could not provide a valid DKIM signature for the From domain (only for
>the secretary domain), and the old trick of simply stripping the old invalid
>one would no longer work.
>
>As a result, mailing lists like Sympa are forced to use the DMARC Protection
>method, which involves breaking the original SMTP Standards and setting the
>From header to be some form of the mailinglist domain rather than the
>original one.
>
>Steve
>
>Steve Shipway
>T: +64 9 3737 599 ext 86487
>E: address@concealed
>