== At least partially understanding DMARC

[[DMARC http://dmarc.org/]] is suddenly on my mind because of the
news that [[AOL changed its DMARC policy to 'reject'
http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/]],
following the lead of Yahoo which did this [[a couple of weeks ago
http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users]].
The short version is that a DMARC 'reject' policy is [[what I
originally thought DKIM was doing UnderstandingDKIM]]: it locks
down email with a _From:_ header of your domain so that only you
can send it. More specifically, all such email must not merely have
a valid DKIM signature but a signature that is for the same domain
as the _From:_ domain; in DMARC terminology this is called being
'aligned'. Note that the domain used to determine the DMARC policy
is the _From:_ domain, not the DKIM signature domain.

(I think that DMARC can also be used to say 'yes, really, pay
attention to my strict SPF settings' if you're sufficiently crazy
[[to break all email forwarding AnInternetRule]].)

This directly affects anyone who wants to send email with a _From:_
of their Yahoo or AOL address but not do it through Yahoo/AOL's SMTP
servers. Yahoo and AOL have now seized control of that and said 'no you
can't, we forbid it by policy'. Any mail system that respects DMARC
policies will automatically enforce this for AOL and Yahoo.

(Of course this power grab is not the primary goal of the exercise;
the primary goal is to cut off all of the spammers and other bad
actors that are attaching Yahoo and AOL _From:_ addresses to their
email.)

This indirectly affects anyone who has, for example, a mailing list
(or a mail forwarding setup) that modifies the message _Subject:_
or adds a footer to the message as it goes through the list. Such
modifications will invalidate the original DKIM signature of
legitimate email from a Yahoo or AOL user and then this bad DKIM
signature will cause the message to be rejected by downstream mailers
that respect DMARC. The only way to get such modified emails past
DMARC is to change the _From:_ header away from Yahoo or AOL, at
which point their DMARC 'reject' policies don't apply.

DMARC by itself does not break simple mail relaying and forwarding
(including for simple mailing lists), ie all things where the message
and its headers are unmodified. An unmodified message's DKIM signature
is still valid even if it doesn't come directly from Yahoo or AOL
(or whoever) so everything is good as far as DMARC is concerned
([[assuming SPF sanity AnInternetRule]]).

Note that Yahoo and AOL are not the only people with a DMARC 'reject'
policy. Twitter has one, for example. You can check a domain's DMARC
policy (if any) by looking at the _TXT_ record on ((_dmarc.<domain>)),
eg ((_dmarc.twitter.com)). I believe the '_p=_' bit is the important
part.

PS: I suspect that more big free email providers are going to move
to publishing DMARC 'reject' policies, assuming that things don't
blow up spectacularly for Yahoo and AOL. Which I doubt they will.