[Mailman-Users] (relatively) new DMARC issues - and Gmail

Mon Apr 2 19:47:04 EDT 2018

On 03/31/2018 11:31 AM, Lindsay Haisley wrote:
> 
> At some point Amazon (amazon.com) started publishing a DMARC
> "p=quarantine" policy, which means that any email which gets redirected
> and hits my dmarc_shield piece is going to have its From address re-
> written to "postmaster at fmp.com" (fmp.com has a proper SPF record).

Why do you feel this is necessary?

I suppose it is possible that amazon publishises a DMARC policy and does
NOT DKIM sign it's outgoing email but relies solely on SPF domain
alignment to pass DMARC, but I think this would be a rare exception.

If the mail from Amazon is DKIM signed with an aligned domain and you
make no transformations that would break that sig, i.e. you are a simple
.forward or alias type forwarder, the DKIM sig will still validate at
the receiver and you don't need to munge the From:

> Here's the really annoying thing. My dmarc_shield processor rewrites
> the From header as per SOP for Mailman with the proper switch turned
> on. The From header address becomes "postmaster at fmp.com" with the
> original From address in the address comment (from xxx at yyz.com). If
> the email didn't already have a Reply-To address, the original From
> address is inserted as the Reply-To address. If a Gmail user replies to
> such an email, the reply goes to the Reply-To address, but Gmail
> **whitelists** the From address! Thereafter, any email which comes in
> with a munged From address is accepted, bypassing Gmail's otherwise
> pretty good spam filtering. I'm noticing a lot of spam email going out
> with From addresses for which a DMARC "p=reject" policy is published,
> which means that any such spam redirected to the Gmail user via FMP is
> also whitelisted. Bah! It's a fucking war zone out there!

The first question is why would the ultimate gmail recipient reply to
the spam in the first place.

The next question is assuming it is spam, does it originate from an
amazon server. If not, it should fail DMARC when you receive it and you
should consider honoring the amazon DMARC police and not forward the mail.

And if it does originate from an amazon server with a valid DKIM sig are
you making transformations that invalidate the DKIM sig?

Again, if not, if you are a simple forwarder, you shouldn't need to mung
the From:.

I understand part of the intent is a heads-up to people like me, and in
my case, I am not a simple forwarder, but I'm hopeful that eventually at
least, ARC can help, but I still don't understand why this is an issue
for you.

It seems your case is simple. If it fails DMARC when it reaches you,
honor the p=quarantine and don't forward the mail. If it passes DMARC
based on DKIM, forward it without munging the From:. That leaves only
the case where it passes DMARC solely on SPF, and my guess is that this
is an empty or almost empty set.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan