Why if you are yahoo.com or gmail.com mail user, you probably won't see this message :-)
TL;DR: In never ending battle against SPAM and phishing attacks, some email providers are now using DMARC, rejecting or marking as SPAM email if the originating mail server doesn't match the authorized ones for the provider's service.
For example: - Yahoo! is flat out rejecting e-mail from yahoo! mail users if it comes from non-authorized servers. - Google is marking e-mail from gmail users as SPAM if it comes from non-authorized servers.
Unfortunately this breaks mailing list software like mailman (used for this list) which tries to make e-mail from the list appear as if it is coming from the original sender.
The changes that are required to fix the issue change the functionality of the list software in ways users may not like.
I found this out while applying DMARC for my my own domains.
More info can be found at these sites: https://wiki.list.org/DEV/DMARC https://dmarc.org/
Fun.
-Neil
Cheers from my gmail.com account :)
El sáb., 10 nov. 2018 a las 13:34, Neil Johnson (neil.johnson@erudicon.com) escribió:
TL;DR: In never ending battle against SPAM and phishing attacks, some email providers are now using DMARC, rejecting or marking as SPAM email if the originating mail server doesn't match the authorized ones for the provider's service.
For example:
- Yahoo! is flat out rejecting e-mail from yahoo! mail users if it comes
from non-authorized servers.
- Google is marking e-mail from gmail users as SPAM if it comes from
non-authorized servers.
Unfortunately this breaks mailing list software like mailman (used for this list) which tries to make e-mail from the list appear as if it is coming from the original sender.
The changes that are required to fix the issue change the functionality of the list software in ways users may not like.
I found this out while applying DMARC for my my own domains.
More info can be found at these sites: https://wiki.list.org/DEV/DMARC https://dmarc.org/
Fun.
-Neil
-- Neil Johnson
On November 10, 2018 12:31:49 PM UTC, Neil Johnson neil.johnson@erudicon.com wrote:
TL;DR: In never ending battle against SPAM and phishing attacks, some email providers are now using DMARC, rejecting or marking as SPAM email if the originating mail server doesn't match the authorized ones for the provider's service.
For example:
- Yahoo! is flat out rejecting e-mail from yahoo! mail users if it
comes from non-authorized servers.
- Google is marking e-mail from gmail users as SPAM if it comes from
non-authorized servers.
Unfortunately this breaks mailing list software like mailman (used for this list) which tries to make e-mail from the list appear as if it is coming from the original sender.
The changes that are required to fix the issue change the functionality of the list software in ways users may not like.
I found this out while applying DMARC for my my own domains.
More info can be found at these sites: https://wiki.list.org/DEV/DMARC https://dmarc.org/
Fun.
-Neil
Hi Neil,
That DEV/DMARC link is a bit dated and obsolete.
The DMARC mitigation code available in Mailman (since v2.1.18) is in wide use and working well. At a minimum this list should be automatically munging posts from DMARC enabled domains.
Let me know if you need any help with this. I'm new here, but somewhat of an old-hat in the Mailman world. I'm always glad to help.
73s,
-Jim P.
Perhaps you have noticed that 'mailman' implements an option to get around the fundamentally broken concept of DMARC, and that the 44net mailing list has that functionality turned on. (This is the "DMARC-Munge-From" option).
It is dependent on the DMARC-implementing site declaring so publicly by publishing a TXT record in its DNS entries. Sites which implement DMARC without the corrective DNS entry are making an already-broken protocol behave even more poorly.
One recommended procedure is to set a mailman option which refuses postings from email providers that implement DMARC and informs the subscriber attempting to post to the list that their email provider is running a non-standards-compliant email system, that their mail is being refused as being unforwardable, and that they should find some other email provider instead. I have considered turning this option on but, while esthetically pleasing, it would reduce the functionality of the list, and so I have not. That doesn't mean that DMARC isn't a badly broken misconception; it is. It should NOT BE USED. - Brian
On Sat, Nov 10, 2018 at 06:31:49AM -0600, Neil Johnson wrote:
Unfortunately this breaks mailing list software like mailman (used for this list) which tries to make e-mail from the list appear as if it is coming from the original sender.
The changes that are required to fix the issue change the functionality of the list software in ways users may not like.
Now that I've done some more research (google) I see I've twice naively wandered into two hotly contested issues (IPv4 address transfers and SPF, DKIM, DMARC).
My apologies!
Going back to lurking mode now.
-Neil
On Sat, Nov 10, 2018 at 7:31 AM Brian Kantor Brian@bkantor.net wrote:
Perhaps you have noticed that 'mailman' implements an option to get around the fundamentally broken concept of DMARC, and that the 44net mailing list has that functionality turned on. (This is the "DMARC-Munge-From" option).
It is dependent on the DMARC-implementing site declaring so publicly by publishing a TXT record in its DNS entries. Sites which implement DMARC without the corrective DNS entry are making an already-broken protocol behave even more poorly.
One recommended procedure is to set a mailman option which refuses postings from email providers that implement DMARC and informs the subscriber attempting to post to the list that their email provider is running a non-standards-compliant email system, that their mail is being refused as being unforwardable, and that they should find some other email provider instead. I have considered turning this option on but, while esthetically pleasing, it would reduce the functionality of the list, and so I have not. That doesn't mean that DMARC isn't a badly broken misconception; it is. It should NOT BE USED. - Brian
On Sat, Nov 10, 2018 at 06:31:49AM -0600, Neil Johnson wrote:
Unfortunately this breaks mailing list software like mailman (used for
this
list) which tries to make e-mail from the list appear as if it is coming from the original sender.
The changes that are required to fix the issue change the functionality
of
the list software in ways users may not like.
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
I'm using gmail and reading all these well enough...
On Sat, 10 Nov 2018 at 07:32, Neil Johnson neil.johnson@erudicon.com wrote:
TL;DR: In never ending battle against SPAM and phishing attacks, some email providers are now using DMARC, rejecting or marking as SPAM email if the originating mail server doesn't match the authorized ones for the provider's service.
For example:
- Yahoo! is flat out rejecting e-mail from yahoo! mail users if it comes
from non-authorized servers.
- Google is marking e-mail from gmail users as SPAM if it comes from
non-authorized servers.
Unfortunately this breaks mailing list software like mailman (used for this list) which tries to make e-mail from the list appear as if it is coming from the original sender.
The changes that are required to fix the issue change the functionality of the list software in ways users may not like.
I found this out while applying DMARC for my my own domains.
More info can be found at these sites: https://wiki.list.org/DEV/DMARC https://dmarc.org/
Fun.
-Neil
-- Neil Johnson
This is easily circumvented by mailer software like this one. It does NOT send mails as coming from the user. It just changes the name:
If I send a mail to this list, I send it from "Marius marius@yo2loj.ro" The mailing list SW will send it from "Marius via 44Net 44net@mailman.ampr.org" Even if that "via 44Net" would not be there, it still is a mailer's address. The same applies if the sender would be "marius@yo2loj.ro 44net@mailman.ampr.org" It would APPEAR it was sent from me, but the actual address is mailman's address.
On the other hand, mail servers are right, one can not send mail to them using their own domain, unless allowed by some trusted source (DNS SFP reccord or similar in the mail host's record) authorizing the external host to send mail in its name. And it is not only yahoo doing this, most mail servers reject such mails. They also reject unknown sender hosts (without RDNS entries), invalid HELLO headers and others. Google is the exception, classifying it as spam instead of just rejecting it with a 554 error.
IMHO this whole thing is actually in place for years, and a non-issue. As long as a mail server is correctly configured, everything works as expected.
Marius, YO2LOJ
On Sat, 10 Nov 2018 at 07:32, Neil Johnson neil.johnson@erudicon.com wrote: (...) Unfortunately this breaks mailing list software like mailman (used for this list) which tries to make e-mail from the list appear as if it is coming from the original sender.
The changes that are required to fix the issue change the functionality of the list software in ways users may not like.
Mailing list manager for a Dutch digital rights initiative here. We've been dealing with DMARC for the last couple of years and are publishing our own DMARC quarantine policy soon, after months of monitoring and contacting other list managers to get DMARC to work with their lists. Munging the From: header is one solution, but doing so makes it harder to filter posts from a list member in a mail client (for example the 'Filter these messages' bar in Thunderbird doesn't work anymore).
We opted with not munging the From: header and instead trying to keep the original DKIM signature valid. You see, you only need SPF *or* DKIM alignment to achieve DMARC compliance, otherwise forwarding would break (read the spec to know what 'alignment' means here). A forwarder should of course use its own domain in the bounce (envelope FROM) domain so the email passes SPF validation.
Keeping the DKIM signature valid means that you cannot modify the email body (Mailman must not add a footer). The same goes for certain headers, depending on the configuration of the DKIM signer. These headers are often From:, To:, Date:, MIME-Version: and Message-ID:, but often the Subject: header is included as well, so you cannot add '[listname]' in front of the subject.
I hope this is useful to someone!
Imre PH0BOS
On 11/11/2018 09:23, Marius Petrescu wrote:
This is easily circumvented by mailer software like this one. It does NOT send mails as coming from the user. It just changes the name:
If I send a mail to this list, I send it from "Marius marius@yo2loj.ro" The mailing list SW will send it from "Marius via 44Net 44net@mailman.ampr.org" Even if that "via 44Net" would not be there, it still is a mailer's address. The same applies if the sender would be "marius@yo2loj.ro 44net@mailman.ampr.org" It would APPEAR it was sent from me, but the actual address is mailman's address.
On the other hand, mail servers are right, one can not send mail to them using their own domain, unless allowed by some trusted source (DNS SFP reccord or similar in the mail host's record) authorizing the external host to send mail in its name. And it is not only yahoo doing this, most mail servers reject such mails. They also reject unknown sender hosts (without RDNS entries), invalid HELLO headers and others. Google is the exception, classifying it as spam instead of just rejecting it with a 554 error.
IMHO this whole thing is actually in place for years, and a non-issue. As long as a mail server is correctly configured, everything works as expected.
Marius, YO2LOJ
Yep gmail here too, but it could be because it recieve via a mail redirect from zonedit
73 Lin N4YCI
On Sun, Nov 11, 2018 at 5:02 AM David Gillingham via 44Net < 44net@mailman.ampr.org> wrote:
I'm using gmail and reading all these well enough...
On Sat, 10 Nov 2018 at 07:32, Neil Johnson neil.johnson@erudicon.com wrote:
TL;DR: In never ending battle against SPAM and phishing attacks, some email providers are now using DMARC, rejecting or marking as SPAM email if the originating mail server doesn't match the authorized ones for the provider's service.
For example:
- Yahoo! is flat out rejecting e-mail from yahoo! mail users if it
comes
from non-authorized servers.
- Google is marking e-mail from gmail users as SPAM if it comes from
non-authorized servers.
Unfortunately this breaks mailing list software like mailman (used for
this
list) which tries to make e-mail from the list appear as if it is coming from the original sender.
The changes that are required to fix the issue change the functionality
of
the list software in ways users may not like.
I found this out while applying DMARC for my my own domains.
More info can be found at these sites: https://wiki.list.org/DEV/DMARC https://dmarc.org/
Fun.
-Neil
-- Neil Johnson
On 12/11/18 11:39, Lin Holcomb wrote:
Yep gmail here too, but it could be because it recieve via a mail redirect from zonedit
I've been following this entire thread, and my email is hosted using Google Apps. It's basically Gmail, but the DNS is managed by me.
The subject line of this message is clearly wrong.
255 of the 821 subscribers to this mailing list use @gmail.com mailboxes.
If there were a problem with gmail, it would have shown up long ago. - Brian
Checking in from yahoo.com! On Saturday, November 10, 2018, 5:32:15 AM MST, Neil Johnson neil.johnson@erudicon.com wrote:
TL;DR: In never ending battle against SPAM and phishing attacks, some email providers are now using DMARC, rejecting or marking as SPAM email if the originating mail server doesn't match the authorized ones for the provider's service.
For example: - Yahoo! is flat out rejecting e-mail from yahoo! mail users if it comes from non-authorized servers. - Google is marking e-mail from gmail users as SPAM if it comes from non-authorized servers.
Unfortunately this breaks mailing list software like mailman (used for this list) which tries to make e-mail from the list appear as if it is coming from the original sender.
The changes that are required to fix the issue change the functionality of the list software in ways users may not like.
I found this out while applying DMARC for my my own domains.
More info can be found at these sites: https://wiki.list.org/DEV/DMARC https://dmarc.org/
Fun.
-Neil
-
Brian Kantor -
David Gillingham -
Imre Jonk -
Jim Popovitch -
Lin Holcomb -
Marius Petrescu -
n0p [Luis Bernal] -
Neil Johnson -
Tony Langdon -
yahoo.com Lundy