Click the comments link on any story to see comments or add your own.
Subscribe to this blog
20 Dec 2016
I have groused at length about the damage that anti-phishing technique DMARC does to e-mail discussion lists. For at least two years list managers and list software developers have been trying to figure out what to do about it. The group that brought us DMARC is working on an un-DMARC-ing scheme called ARC, which will likely help somewhat, but ARC isn't ready yet, and due to ARC's complexity it's likely that there will be many medium or small mail systems that enforce DMARC and can't or won't use ARC.
The Internet Engineering Task Force, which writes technical standards for the Internet, works primarily through discussion lists, and the pain from DMARC has gotten to the point where we may do something about it. So we've been doing some experiments.
The DMARC problem is that mail sent through discussion lists is generally modified on the way through, most often with subject line tags or message footers, the modifications invalidate DKIM message signatures, and the invalid signature makes DMARC misidentify the list mail as phishes.
There are a lot of DMARC workarounds (summarized here,) all of which do some damage to the mail, but they damage the mail in different ways. Currently the most popular is to rewrite the From: line and replace the message author's address by the list's address. This satisfies DMARC since it keys on the From: line address, but it messes up lists since it makes it hard to tell who actually wrote a message, and even harder to send a private reply to the author.
Another less used option is to wrap the messages in outer messages as attachments. The outer message is created by the list software so it has no DMARC problems. The attached message is the original message, modified however the list software modified it, but since it's an attachment, DMARC doesn't care about it. List that send daily digests typically wrap messages in the same way, so you can think of this trick as turning every message into a one-message digest.
The good thing about message wrapping is that the wrapped message is exactly the one the list would have sent without DMARC. The bad thing is that user mail programs tend not to display wrapped messages very well. In the worse cases, the mail program doesn't know how to display the message/rfc822 MIME part containing the wrapped message and just shows a box or a download link. Sometimes it shows the message, but doesn't show the wrapped message's headers so you can't see the From: or Subject: to see who sent it or what it's about. Often if you can see the From:, you can't click on it, so there's no way to send a response to the author other than manually cutting and pasting the address into a new message. Or if there's a Reply-To header, sometimes the mail program follows it, sometimes not. (We get the impression that displaying wrapped messages has never been a priority among mail program developers.)
To find out how wrapped messages work in various mail programs, I've written a little message wrapping 'bot. You send a message to the bot, it wraps it a couple of ways and sends it back. The bot's addresses are:
Each message is returned twice, once where the outer message has a normal looking From: line with a throwaway return address, and one with an empty group address. If you only get one copy back, look in your spam folder for the group address, or on some systems, it just disappears since they (erroneously) reject the group address as bad syntax.
Don't send anything secret, since I keep copies of all the mail. The 'bot is heavily rate limited to deter abuse and accidental or deliberate mail loops.
We've checked all of the major webmail providers and some popular desktop mail programs like Apple Mail and Thunderbird, but reports on other mail programs, particularly on tablets and phones, would be useful. How legible are the messages? How hard is it to reply to the list address (in this case, email@example.com or whatever) or to the author (you)?
comments... (Jump to the end to add your own comment)
Add your comment...
Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.
My other sites
© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.