At least partially understanding DMARC

April 23, 2014

DMARC is suddenly on my mind because of the news that AOL changed its DMARC policy to 'reject', following the lead of Yahoo which did this a couple of weeks ago. The short version is that a DMARC 'reject' policy is what I originally thought DKIM was doing: it locks down email with a From: header of your domain so that only you can send it. More specifically, all such email must not merely have a valid DKIM signature but a signature that is for the same domain as the From: domain; in DMARC terminology this is called being 'aligned'. Note that the domain used to determine the DMARC policy is the From: domain, not the DKIM signature domain.

(I think that DMARC can also be used to say 'yes, really, pay attention to my strict SPF settings' if you're sufficiently crazy to break all email forwarding.)

This directly affects anyone who wants to send email with a From: of their Yahoo or AOL address but not do it through Yahoo/AOL's SMTP servers. Yahoo and AOL have now seized control of that and said 'no you can't, we forbid it by policy'. Any mail system that respects DMARC policies will automatically enforce this for AOL and Yahoo.

(Of course this power grab is not the primary goal of the exercise; the primary goal is to cut off all of the spammers and other bad actors that are attaching Yahoo and AOL From: addresses to their email.)

This indirectly affects anyone who has, for example, a mailing list (or a mail forwarding setup) that modifies the message Subject: or adds a footer to the message as it goes through the list. Such modifications will invalidate the original DKIM signature of legitimate email from a Yahoo or AOL user and then this bad DKIM signature will cause the message to be rejected by downstream mailers that respect DMARC. The only way to get such modified emails past DMARC is to change the From: header away from Yahoo or AOL, at which point their DMARC 'reject' policies don't apply.

DMARC by itself does not break simple mail relaying and forwarding (including for simple mailing lists), ie all things where the message and its headers are unmodified. An unmodified message's DKIM signature is still valid even if it doesn't come directly from Yahoo or AOL (or whoever) so everything is good as far as DMARC is concerned (assuming SPF sanity).

Note that Yahoo and AOL are not the only people with a DMARC 'reject' policy. Twitter has one, for example. You can check a domain's DMARC policy (if any) by looking at the TXT record on _dmarc.<domain>, eg I believe the 'p=' bit is the important part.

PS: I suspect that more big free email providers are going to move to publishing DMARC 'reject' policies, assuming that things don't blow up spectacularly for Yahoo and AOL. Which I doubt they will.

Comments on this page:

I assume you have a number of mailing lists you administer. Did you have to do any config tweaking to work with Yahoo's and AOL's dumb idea to reject mail? I suppose you can probably just force users to use their university email addresses.

The reason I'm asking is because some of the mailing lists I'm on have done some really nasty things to work with Yahoo (and now AOL) addresses. Specifically, they rewrite the From header to be mailing list address, and they stash the original From address into a Reply-To/X-Original-Sender.

By cks at 2014-04-23 10:39:53:

The short answer is that our local mailing lists aren't affected because they don't modify the message as it goes through. The university-wide Listserv system will be, because it modifies the Subject: header.

(In general any mailing list system that leaves the message unmodified should be fine, so one of my biased reactions to this is that maybe mailing list systems should get out of the business of mangling messages instead of adding yet more mangling on top of what they're already doing.)

By Anon at 2014-04-24 17:29:24:

The LKML now bans emails from @yahoo addresses so I guess that's the sort of collateral damage that's going to be seen...

Written on 23 April 2014.
« The question of language longevity for new languages
How Yahoo's and AOL's DMARC 'reject' policies affect us »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Apr 23 01:12:32 2014
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.