Mailing list questions (DMARC, ARC, more?)

Matus UHLAR - fantomas uhlar at fantomas.sk
Fri Sep 2 12:27:55 UTC 2022 

>>On 25.08.22 18:10, Alessandro Vesely wrote:
>>>The lack of interest by others proves that From: munging is not so 
>>>much of a nuisance as they say...

>On Mon 29/Aug/2022 12:09:10 +0200 Matus UHLAR - fantomas wrote:
>>This will come sooner or later, however:
>>
>>earlier this year I've done small dmarc research for our client:
>>
>>- microsoft software (on-premise exchange and 365) does not 
>>DKIM-sign DSN   e-mail (delivery and non-delivery notifications) 
>>although those have   sending domain in From: (I guess domain is 
>>added after sig generated)

On 01.09.22 12:07, Alessandro Vesely wrote:
>So do I, relying on SPF for DNSs.

if DSN contains domain in From: address, they can be signed as well.
microsoft messed this up.

>>- only a few % of domains has other DMARC policy than none
>>- mailman 2 (used here) only munges From: when domain DMARC policy 
>>for the   sending domain is other than none.

>Which is insecure.

yes, but due to the above, since DSNs aren't DKIM-signed, they could be 
easily dropped, I assume either nobody tried to set DMARC policy to other 
than none or they had problems.


> While I keep p=none, anyone can post a spoof using 
>my email address as From: and pretend to be me.  It never happens, but 
>some people believe it /cannot/ happen.

>>>>>I see the list operates both From: munging and ARC sealing.  
>>>>>While I'm clear about the former, I'm curious about how ARC 
>>>>>works:
>>>>>
>>>>>Do any subscribers trust the seal by isc.org?
>>
>>I guess most of recipients use predefined configurations, e.g. no whitelisting.
>>
>>out of curiousity, I set my opendmarc.conf:
>>
>>DomainWhitelist lists.isc.org
>>
>>so we'll see next time mail comes.

>Please tell us.

so far, not ex

- opendmarc only uses header that's inserted by openarc milter

- openarc milter for bind-users inserts arc.chain="isc.org:isc.org:isc.org"

- opendmarc seems to ignore "DomainWhitelist isc.org" perhaps I need to put
   isc.org:isc.org:isc.org (will try) 

- openarc (I have installed beta from debian experimental) seems to insert 
   Authentication-Result: header when no ARC seal is present, though not always.

- arc for bind-users seems to fail when mailman rewrites From: header 
   (but DKIM is fine in this case)


>Mailman should know about your setting in order to skip From: munging 
>in the copies sent to you.  Currently, the copies sent to pipermail 
>for archiving seem to be non-munged, so this functionality exists.

do you mean I can turn off From: munging in mail sent to me?



-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.

More information about the bind-users mailing list