DMARC protection
- DMARC protection feature was introduced on Sympa 6.1.22 and 6.2
DMARC stands for "Domain-based Message Authentication, Reporting & Conformance". It is anti-spam and phishing measure supported by major mail providers such as yahoo or hotmail.
This is a quick update for now. If you want to learn more about DMARC and what awful things its rough application did to mailing lists manager, please read Related posts below.
ARC (RFC 8617) is intended to fix the problems introduced by DMARC by adding signatures (they are called "seals") that show the chain of servers that processed a message. Once ARC is more widely implemented, workarounds by DMARC protection shouldn't be needed. So setting up ARC on your mailing list server is recommended, so that impact by DMARC protection would be reduced (Once you have DKIM set up, adding ARC seals is straightforward).
Background
To make a long story short: yahoo, then aol and probably others set the "p=reject
" tag in their DMARC DNS record. This means: reject anything that doesn't match my security policies. OK. But Sympa and most mailing lists managers would break this policy, simply by changing the mail subject or the Return-Path
because:
-
yahoo requires DKIM valid - yahoo domain-signed - signature for any mails from its domain
-
Sympa would break this signature by changing the
Return-Path
orSubject
- which are parts of the yahoo signature
The messages to yahoo would bounce "for policy reason" but worse: messages sent to receipients whose domain applies yahoo DMARC policy would also bounce. Examples of such domains are gmail, hotmail, etc.
How it works
DMARC protection will have the following effect: The mails from domains whose pollicy is to reject any mail not respecting its DMARC policy will be processed this way:
-
Their DKIM and DomainKey signatures will be removed.
-
The address in
From:
field will be changed to the list address (or anything specified in list config) so that the message will pass validation by DMARC.For convenience of recipients, information of original sender are embedded in the display name and/or comment in the
From:
field.
Previous values of the From:
header field and the DKIM signature are saved
in an X-Original-From:
and X-Original-DKIM-Signature:
header fields
for later inspection.
How to setup
-
Install Net-DNS Perl module, if it have not been installed.
-
Set the
dmarc_protection.mode
to the value you wish. For a quick correction on the most restrictive DMARC records, just add the following line to your sympa.conf:dmarc_protection.mode dmarc_reject
Note
- On Sympa 6.2.56 or earlier, the name of the parameter above should
be
dmarc_protection_mode
.
- On Sympa 6.2.56 or earlier, the name of the parameter above should
be
You can get further customization of how to deal with DMARC by using the other dmarc_protection parameters.
Related posts
Acknowledgement
You can all thank Steve Shipway for his deep understanding of the problem and the patch he provided to solve the issue.