[Mailman-Users] DMARC and Gmail

Stephen J. Turnbull stephen at xemacs.org
Wed Apr 16 18:27:23 CEST 2014 

Lindsay Haisley writes:

 > I've been working with the list admins of one of FMP's hosted lists and
 > they've seen over 100 addresses unsubscribed from the usual suspects -
 > yahoo.com, att.net, Comcast, etc., but no Gmail accounts and there are
 > 228 of them on the list.  Nonetheless, the PC World article [...]
 > lists Gmail as being one of the cooperating email service providers
 > honoring Yahoo's DMARC p=reject policy.

I wouldn't trust the popular press to be fully accurate.  Even one
test delivery failure would probably be counted as "honoring", and
it's not obvious that you need to specifically test mailing lists,
since DMARC doesn't explicitly allow treating different DMARC failures
differently.

 > I've been telling list admins to recommend that subscribers drop
 > their Yahoo accounts in favor of Gmail.

That remains good policy AFAICT.

 > What's the story here?

There are several possibilities.  One is that DMARC doesn't define the
semantics of "reject".  (Why doesn't that surprise me?)  Here's what
they say:

   15.4.  Rejecting Messages

   This proposal calls for rejection of a message during the SMTP
   session under certain circumstances.  This is typically done in one
   of two ways:

   o  Full rejection, wherein the SMTP server issues a 5xy reply code
      as an indication to the SMTP client that the transaction failed;
      the SMTP client is then responsible for generating notification
      that delivery failed (see Section 4.2.5 of [SMTP]).

   o  A "silent discard", wherein the SMTP server returns a 2xy reply
      code implying to the client that delivery (or, at least, relay)
      was successfully completed, but then simply discarding the
      message with no further action.

   Each of these has a cost.  For instance, a silent discard may
   prevent "backscatter" (the annoying generation of delivery failure
   reports, which go back to the RFC5321.MailFrom address, about
   messages that were fraudulently generated), but effectively means
   the SMTP server has to be programmed to give a false result, which
   can confound external debugging efforts.

A "silent discard" by Google is consistent with your observation,
since no bounce would be generated.

However, it is not consistent with Mark's experimental outcome.[1]  So
apparently, at least in their implementation of DMARC, Google takes
their "Don't Be Evil" slogan quite seriously.

It is clear to me that the "silent discard" method is the right way to
handle a DMARC p=reject policy.  Although the receiving MTA is "giving
a false result" in some sense, in fact the DMARC-using domain can
request a specific failure report which will enable the domain to
determine why non-delivery occurred despite an SMTP success.  If they
don't request such a report, too bad for their users.

Note that the "annoyance" mentioned in the 4th paragraph includes
denial of service to completely innocent third parties, ie, the
DMARC-triggered unsubscribes that have been observed.


Footnotes: 
[1]  His message arrived while I was composing this one.

More information about the Mailman-Users mailing list