[clamav-users] Mailing list DMARC problem

Discussion:

Giuseppe Ravasio

2018-10-31 09:27:09 UTC

Hi,
our mail relay recently started checking DMARC authentication of
messages and it turns out that this mailing list is braking DMARC.
That result in having rejected or quarantined messages from user whose
email TLD is specifyng a DMARC policy.

For the mailing list admins here there is a FAQ link about ML and DMARC
https://dmarc.org/wiki/FAQ#senders

Thanks
Giuseppe
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Al Varnell

2018-10-31 09:47:34 UTC

Permalink

It's well known and was discussed at length in June and probably several other times. I'm not sure it's even possible to be compliant given the currently used list software.
<https://lists.gt.net/clamav/users/72965?search_string=dmarc;#72965 <https://lists.gt.net/clamav/users/72965?search_string=dmarc;#72965>>

-Al-

Post by Giuseppe Ravasio
Hi,
our mail relay recently started checking DMARC authentication of
messages and it turns out that this mailing list is braking DMARC.
That result in having rejected or quarantined messages from user whose
email TLD is specifyng a DMARC policy.
For the mailing list admins here there is a FAQ link about ML and DMARC
https://dmarc.org/wiki/FAQ#senders <https://dmarc.org/wiki/FAQ#senders>
Thanks
Giuseppe

Alessandro Vesely

2018-10-31 12:16:15 UTC

Permalink

Post by Al Varnell
I'm not sure it's even possible to be compliant given the currently used
list software.

Yes, it is:
https://mailman.readthedocs.io/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html

The most commonly used workaround is bullet #3 of that FAQ;
3. Take ownership of the email message by changing the RFC5322.From address

Post by Al Varnell

Post by Giuseppe Ravasio
For the mailing list admins here there is a FAQ link about ML and DMARC
https://dmarc.org/wiki/FAQ#senders

There are elaborate variants. For example, one can register a domain like
dmarc.fail and rewrite From: in such a way that reply-to-author will work for a
limited period of time. See:
http://lists.dmarc.org/pipermail/dmarc-discuss/2018-October/004193.html

Best
Ale
--
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Maarten Broekman

2018-10-31 12:23:27 UTC

Permalink

Or, I don't know, recipients that are enforcing DMARC could simply follow
the steps from the previous section. The mailing list doesn't own the
messages sent to it (we don't see "From: clamav-users").

Recipients should whitelist the mailing list per:
https://dmarc.org/wiki/FAQ#Is_there_special_handling_required_to_receive_DMARC_email_from_mailing_lists.3F

Post by Alessandro Vesely

Post by Al Varnell
I'm not sure it's even possible to be compliant given the currently used
list software.

https://mailman.readthedocs.io/en/latest/src/mailman/handlers/docs/dmarc-mitigations.html
The most commonly used workaround is bullet #3 of that FAQ;
3. Take ownership of the email message by changing the RFC5322.From address

Post by Al Varnell

Post by Giuseppe Ravasio
For the mailing list admins here there is a FAQ link about ML and DMARC
https://dmarc.org/wiki/FAQ#senders

There are elaborate variants. For example, one can register a domain like
dmarc.fail and rewrite From: in such a way that reply-to-author will work for a
http://lists.dmarc.org/pipermail/dmarc-discuss/2018-October/004193.html
Best
Ale
--
_______________________________________________
clamav-users mailing list
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml

Alessandro Vesely

2018-10-31 17:10:52 UTC

Permalink

Or, I don't know, recipients that are enforcing DMARC could simply follow the
steps from the previous section. The mailing list doesn't own the messages sent
to it (we don't see "From: clamav-users").
https://dmarc.org/wiki/FAQ#Is_there_special_handling_required_to_receive_DMARC_email_from_mailing_lists.3F

Original Authentication Results is wishful thinking of 2012. If it worked, ARC
wouldn't be needed. But then ARC doesn't solve the problem either, because in
practice you don't know what every sender in the world is doing, unless you're
Google.

Assessing all the mailing lists that their users subscribe to is a daunting
task for mailbox providers, especially since list subscription doesn't involve
the mailbox provider at all.

Best
Ale
--
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml