[Mailman-Developers] Mailman DMARC Support (it's not what you think!)

Thu Nov 7 23:12:17 CET 2013

Jim -

On 11/7/13 12:58 PM, Jim Popovitch wrote:
> On Thu, Nov 7, 2013 at 1:23 PM, J. Trent Adams <jtrentadams at gmail.com> wrote:
[snip]
> Now we're left participating on mailing lists using personal mail
> accounts. As you can imagine, that makes many departments in the
> organization really nervous for a variety of obvious reasons.
> Which .... appears to be working well for you, mr
> jtrentadams@<freemailer.tld> ;-)

Indeed!  . . . though let's keep that on the down-low given the concern
about the apparent ease with which some entities seem to have access to
these accounts.  ;)

[ snip ]
> To be fair, Mailman doesn't modify the body, it does add footer
> attachments and follows existing RFC requirements for appending
> headers.  I wouldn't necessarily classify that in the same way as
> RFC5322 From spoofing.

Yeah, that's a fair point about Mailman using appropriate mechanisms to
append the footers. . .  But if a sender signs the subject header, does
the signature break if Mailman pre-pends (useful) info?

At the end of the day, though, assuming SPF and DKIM are the most
effective means of email authentication, DMARC is the only (current) way
to effectively close the loop.  And Mailman (my preferred MLM by far)
has an excellent opportunity to leap ahead of the pack and keep that
loop from being severed.

>
>> . . . unless someone can think of another clever way to maintain
>> effective end-to-end email authentication in a novel way? Perhaps
>> through the broader adoption of transitive trust (e.g. the Original
>> Authentication Results header)?
>>
>> Anyway, thanks for your careful consideration, and I do look forward to
>> continuing to discuss viable options for keeping email as trusted and
>> secure as possible.
> I'm not convince that email trust and security have any impact
> whatsoever on Mailman or MLMs in general.   I believe you can have
> secure and trusted email (i.e. ibm.com) yet not break MLMs.
>
> -Jim P.

Hmmm. . .  that's an interesting take.  A quick glance at ibm.com shows
that they SPF -all, so at least their top level domain shouldn't be
sending mail at all.  Is that what you meant?  Glancing at their
subdomains (e.g. us.ibm.com), though, shows that they're protected by
SPF ~all and not DMARC.  Given that many major mailbox providers only
soft fail ~all, it's still likely to see spoofed domain mail reach the
recipient. . .  Or am I missing something clever that they're doing
(which I should probably know about)?

Other than that, I believe that MLMs in general play a huge part in
trusted and secure mail.  Sure, they're not on the front line, but if
they require a hobbling of security of their subscribers to participate,
I see that as not so great.

Now, it's not a perfect analogy, but what if in order to ride the city
bus you were required to lick the handrails?  OK, it's not pretty, but
that'd be requiring you to do something inherently dangerous simply to
take advantage of public transportation.  I don't know about you, but
I'd prefer another mode of transport.

Anyway, I'd like to think that MLMs in general, and Mailman in specific
as the Cadillac (or should we say Tesla now?) of MLMs, should provide an
option to participate in as secure communication as possible.  Someone's
going to do it eventually, and I'm hoping that we can build on the
momentum here given that there are a few reasonably visible lists
willing to cut over to Mailman once their subscribers have a better
experience.

Thanks, by the way, for the discussion and consideration.

- Trent