[BCLUG] Interesting email about domain expiring - SPF vs SPAM question

Rick Moen rick at linuxmafia.com
Fri Aug 19 23:02:49 EDT 2022 

Quoting BCLUG (admin at bclug.ca):

> I have DKIM, and tweaked my DMARC record(s).  I think I need to
> review postfix's (SMTP in general) envelope vs From.

A few words about _why_ I eschew DKIM/DMARC follow.

This is a complex topic, and I'm not going to spend the time to nail
down all the piddly details nor to disarm in advance all possible
nitpicks, nor to document and detail everything.

1.  DKIM addresses a problem I don't care about -- crypto-signing 
selected parts of an SMTP RFC 5322 message payload so that it can be
proved that contents have not been modified in transit since the
signature was affixed. 

2.  An adequate solution to that (IMO) non-problem already existed for
anyone who actually cared, in the form of PGP-signing.  Yes, PGP has
key-management baggage.  All cryptography has that.  Yes, PGP is
complex.  But, seriously, if you're actually worried about Moriarty the
Napoleon of Crime buggering the contents of your individual mails in
transit, (a) you can figure out PGP and so can your equally motivated
recipients, and (b) you're probably solving the wrong problem, i.e., 
why in the name of all that is holy are you relying on SMTP for secure
communication?

3.  The particular implementation of DKIM by the Firm Formerly Known as
Yahoo[1], and then wrapped into meta-spec DMARC, is as written infamously
hostile to the world's MLM-managed mailing lists, in that any message
from a subscriber posting from a domain with a strongly-asserted DMARC
policy (p=reject or p=quarantine), after retransmission to subscribers,
will fail DMARC alignment at receiving MTAs that enforce sending
domains' DMARC policies.

Here is one badly written reference to that problem:
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Annotations_by_mailing_lists
Here is a slightly better one:
https://en.wikipedia.org/wiki/DMARC#Mailing_lists

Consequently, postings to a mailing list from any domain with such a
DMARC policy in its DNS cause problems to other subscribers and the
listadmin.
o   Subscribers will mysteriously fail to get such postings.
o   Subscribers whose MTA reject those postings will get 
    elevated "bounce scores" and get their delivery disabled
    and unsubscribed if it happens often.
o   The listadmin is usually caught in the middle, having to 
    investigate and deal with complaints and other problems
    like mysteriously disabled subscriptions.

Reason #3 is the particular motivator that lead me to conclude that
DKIM/DMARC was botched.  The Firm Formerly Known as Yahoo[1] certainly
knew that it was breaking the world's mailing lists, and decided it
simply didn't care.  In fact, when confronted on this, they had the
temerity to add to the DKIM/DMARC documentation a ballsy claim that,
well, mailing lists will just all have to change, then.

The second Wikipedia link (above) lists workarounds for the problem,
including "From: rewriting", which stands as the least-bad kludge to 
mitigate the awfulness.  E.g., a sufficiently recent release of 
Mailman 2.1.x will offer a non-default listadmin setting to From;-munge
selectively _only_ postings from domains with p=reject or p=quarantine, 
and not damage other subscribers' postings.[2]

What major domains do p=reject or p=quarantine?  Predictably, those
owned by The Firm Formerly Known as Yahoo (Oath, Inc., or Verizon Media,
or whatever the Gehenna they're called now[1]) do.

:r! dig -t txt _dmarc.yahoo.com. +short
"v=DMARC1\; p=reject\; pct=100\; rua=mailto:d at rua.agari.com\; ruf=mailto:d at ruf.agari.com\;"

:r! dig -t txt _dmarc.aol.com. +short
"v=DMARC1\; p=reject\; pct=100\; rua=mailto:d at rua.agari.com\; ruf=mailto:d at ruf.agari.com\;"

Tragically, also:

:r! dig -t txt _dmarc.mac.com. +short
"v=DMARC1\; p=quarantine\; sp=quarantine\; rua=mailto:d at rua.agari.com\; ruf=mailto:d at ruf.agari.com"

:r! dig -t txt _dmarc.icloud.com +short
"v=DMARC1\; p=quarantine\; sp=quarantine\; rua=mailto:d at rua.agari.com\; ruf=mailto:d at ruf.agari.com"


Last: 

:r! dig -t txt _dmarc.bclug.ca +short
"v=DMARC1\;p=quarantine\;sp=quarantine\;pct=100\;aspf=r\;adkim=r\;fo=1:s:d:0\;rf=afrf\;ruf=mailto:info at bclug.ca"


Let your conscience be your guide, sir, but I certainly wouldn't shoot
at my _own_ feet that way.

Better check Mailman settings to make sure you have the recommended
(but non-default) DMARC-damage-mitigation kludge enabled, anyway.


[1] Yes, I know what they've been called since 2021, but I don't care,
so please don't tell me.

[2] Details:
https://lists.balug.org/pipermail/balug-admin/2022-July/001071.html
https://lists.balug.org/pipermail/balug-admin/2022-July/001077.html

More information about the Discuss mailing list