Quantcast
Channel: Terry Zink: Security Talk
Viewing all articles
Browse latest Browse all 243

Three options for solving the problem of DMARC’s incompatibility with mailing lists – Part 2

$
0
0

How can we solve the problem of mailing lists breaking DMARC?

1. Don’t let anyone with a DMARC record of p=reject join the mailing list

One solution is to moderate who joins the mailing list. Domains that you think will fail DMARC cannot sign up.

This is the worst solution.

First, it excludes a large set of the population from joining a discussion list as both yahoo.com and aol.com publish DMARC reject records. It also excludes people from their corporate domains (i.e., using their work email address) from joining a list. I don’t know about you, but I wouldn’t mind having someone from twitter.com or linkedin.com on a discussion list, it makes their presence seem kind of official as a representative of their company. Also, the overwhelming majority of people with @yahoo.com or @aol.com email addresses don’t know what DMARC is, they only know what email is. Why force them to get a second account?

Second, it’s philosophically wrong. We should be encouraging people to protect their domains with DMARC p=reject, not hack around it when inconvenient. What we’d be left with is domains with weak authentication on mailing lists. If one-to-one email can be secure, so should mailing list traffic. It’s not the fault of the domain owners they publish DMARC, DMARC the standard should figure out a way to allow it.

2. Email filters shouldn’t enforce DMARC for mailing lists

A second idea is for email filters to keep track of reputation. If it knows that mailing lists generally send good email to its recipients (to its domain, e.g., if Hotmail/Outlook.com knows that @mailingList.org sends good email to @hotmail.com or @outlook.com), or it knows its users have @mailingList.org in its safe senders or contacts, or an implied relationship by analyzing sending patterns, suppress DMARC enforcement.

The idea here is that the email filter knows that DMARC will fail but reputation of the sending mail server, or established communication patterns, trump authentication failures.

The problem is that it’s a lot of secret sauce and mostly works for large senders like Gmail, Hotmail, Yahoo, etc. They can (and do) spend a lot of time keeping track of reputation and it’s a bit different at each provider. And just because it works at one provider, or even most providers, a subscriber can still get bounced from the list if even one provider is still rejecting the message because of DMARC.

This solution kind of works, and is kind of enforced today at some email receivers, but still suffers from a lack of uniformity across all email receivers.


3. Mailing lists need to stop breaking the original DKIM signature

We know that a forwarded message will fail SPF. Since SPF requires domain/sending IP alignment with respect to the IPs in the SPF record, a forwarded message can’t pass SPF since the sending IP of the forwarded is unlikely to be in the domain owner’s SPF record.

That’s why DKIM exists; DKIM is supposed to survive forwarding. So long as you don’t modify the message content, everything’s good. In other words, if this is the original message:

SMTP MAIL FROM: tzink@myPersonalDomain.com
DKIM-Signature: v=1; a=rsa-sha2; c=relaxed/relaxed; s=s2048; 
  d=myPersonalDomain.com
  h=From:To:Subject:MIME-Version;
  bh=<body hash #1>
  b=<signature #1>
From: Terry Zink <tzink@myPersonalDomain.com>
To: Washington Magicians <washingtonMagicians@mailingList.org>
Subject: Hi, I’m new here. Any good places to perform?

Hey, I’m new to the area and I like to perform for free. Are there any good places to go, like Pike Place Market, that don’t require a permit from the city?

Then at the destination, keep it identical except for adding headers – no adding footers or modifying subject lines:

SMTP MAIL FROM: washingtonmagicians@mailinglist.com
DKIM-Signature: v=1; a=rsa-sha2; c=relaxed/relaxed; s=s2048; d=myPersonalDomain.com
  h=From:To:Subject:MIME-Version;
  bh=<body hash #1>
  b=<signature #1>
From: Terry Zink <tzink@myPersonalDomain.com>
To: Washington Magicians <washingtonMagicians@mailingList.org>
Subject: Hi, I’m new here. Any good places to perform?
List-Subscribe: http://washingtonmagicians.mailinglist.org
List-Post: mailto:washingtonmagicians@mailinglist.org
List-ID: Washington Magicians

Hey, I’m new to the area and I like to perform for free. Are there any good places to go, like Pike Place Market, that don’t require a permit from the city?

The message will fail SPF, but it will pass DKIM since the body of the message hasn’t changed, nor have any of the headers. Since the d= domain is myPersonalDomain.com aligns with the header.from domain myPersonalDomain.com, DMARC passes.

The mailing list is now operating as a pure forwarder (almost). The only thing that has changed is the SMTP MAIL FROM. Indeed, there are some mailing lists that operate this way, even today.

The problem is that modifying the subject line and adding footers is useful. If it weren’t, mailing lists wouldn’t do it. It’s done to give users a visual indicator that the message comes from a list and many people create rules in their local email clients to sort messages. The footers help people sign up and get more information about the list.

While operating as a pure forwarder gets around the problem, it loses some of the most useful parts of mailing lists – letting the recipient know they are getting a message from a mailing list.

No, this solution isn’t a great option. It works in some cases, but not in many others.

=================

So, what else is there?


Related articles in this series:

 


Viewing all articles
Browse latest Browse all 243

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>