DMARC lets a domain owner make assertions about mail
that has their domain in the address on the From: line.
It lets the owner assert that mail will have a
DKIM signature with the same domain, or an envelope return (bounce) address
in the same domain that will pass SPF validation.
The domain owner can also offer policy advice about
what to do with mail that doesn't have matching DKIM or SPF, ranging
from nothing to reject the mail in the SMTP session. The assertions
are in the DNS, in a TXT record at _dmarc.domain. You can see mine
at _dmarc.taugh.com.
For a lot of mail, notably bulk mail sent by companies, DMARC works
great. For other kinds of mail it works less great, because like
every mail security system, it has an implicit model of the way mail
is delivered that is similar but not identical to the way mail is
actually delivered.
Mailing lists are a particular weak spot for DMARC. Lists invarably
use their own bounce address in their own domain so they can collect
the error reports from list mail, so the SPF doesn't
match. Lists generally modify messages via subject tags, body footers,
attachment stripping, and other useful features that break the DKIM
signature. So on even the most legitimate list mail,
most of the mail fails the DMARC assertions, not due to the
lists doing anything "wrong".
The reason this matters is that over the weekend Yahoo published a
DMARC record with a policy saying to reject all yahoo.com mail that
fails DMARC. I noticed this because I got a blizzard of bounces from
my church mailing list, when a subscriber sent a message from her
yahoo.com account, and the list got a whole bunch of rejections from
gmail, Hotmail, Comcast, and Yahoo itself. This is definitely
a DMARC problem, the bounces say so.
The problem for mailing lists isn't limited to the Yahoo subscribers.
Since Yahoo mail provokes bounces from lots of other mail systems,
innocent subscribers at Gmail, Hotmail, etc. not only won't get Yahoo
subscribers' messages, but all those bounces are likely to bounce them
off the lists. A few years back we had a similar problem due to an
overstrict implementation of DKIM ADSP, but in this case, DMARC is
doing what Yahoo is telling it to do.
The DMARC mailing list issue has been argued at length among us nerds, and
one of the counter arguments has been that mail systems know who is sending
mailing list mail, so they will whitelist those lists or otherwise avoid
the problem.
We now know that is not true.
I've been running lists for years, no spam at all (they're all noncommercial
stuff like my church, CAUCE's newsletter, and a group of folk dancers), and
every possible technical feature including DKIM, SPF, correct forward and
reverse DNS, you name it.
As noted above it didn't help, and I have heard from many other list managers
with the same problem, thanking me for explaining what happened.
