[ih] Email reliability

[Dave Crocker]

On 1/14/2024 10:32 AM, Jack Haverty via Internet-history wrote:
> It will likely reduce spam, but also disrupt real email 

s/will likely/already does/

and already does the disruption...

The google announcement is of an escalation, not a creation.


> - in particular any email that travels using any mailing list (like 
> this one).   The effect comes not from the new rules for "bulk 
> senders", but rather from the mail servers changes to their filters 
> for handling incoming mail, especially the rules that classify mail 
> travelling through mailing lists as inherently suspicious.
>
> From Amazon's blog announcement:
>
> "For example, /gmail.com/ will be publishing a quarantine DMARC 
> policy, which means that unauthorized messages claiming to be from 
> Gmail will be sent to Junk folders." 

The "will be" is an assertion of universal fact that is false, and 
Google knows it.

A DMARC record that is published with a 'quarantine' setting is 
expressing a desire, requesting a specific action by the receiver.  And 
some receiving sites do blindly comply with the request but many (most?) 
do not.  For one thing, there is noise in the DMARC channel and blink 
compliance produces false positives.

Rather, the DMARC process, including the request, feeds into a complex 
filtering engine at the receiver, where local policies decide what is 
actually done.

It's not that the quarantine request isn't significant or that it never 
happens.  It's that it is only a request and all sorts of different 
things might happen.

But the language of the Google notice does show a continuing problem 
with how email problems are viewed and discussed, especially by the 
major providers.


> I suspect lots of "mailing lists" will sustain such "collateral damage". 

Already do.  And have for a few years now.


> Anyone who sends or receives their email using a gmail or yahoo 
> address will likely discover that they are effectively cut off from 
> using this list (and probably others).

No.

The From: field had that this list and many (most?) have adopted in 
recent years 'routes around' DMARC.  Think of it as defeating DMARC, or, 
more generally, defeating a barrier to abuse.(*)

DMARC requires the From: field domain name to 'align' with a DKIM 
signature (or SPF record) for the domain the DMARC record covers.

The mailing list hack is to make the From: field domain no longer be 
what the author's system created.

So while your system sent a message with:

    From:  Jack Haverty <jack at 3kitty.org>

the mailing list changed it to:

    From: Jack Haverty via Internet-history 
<internet-history at elists.isoc.org>

If your system used DMARC for 3kitty.org, it would require DKIM or SPF 
validation.  Going through a mailing list would make the DMARC check 
fail, since the mailing list's modification of the message header and/or 
body will break the DKIM signature, and its being an additional SMTP hop 
will break the SPF address check.

But since the message we received no longer has a From: field with your 
domain name, there is no longer a DMARC check at the receiver for 
3kitty.org.

The second part of the mailing list hack is the put the original From: 
field address into the Reply-To:.  This defeats any preexisting Reply-To 
content but otherwise does make a reply to the author go to the author.


d/


(*) The premise behind DMARC's design is that bad actors make 
unauthorized From: field use of a domain like gmail.com.  And indeed, 
bad actors do. /But they don't have to./  They can use all sorts of 
other From: fields -- including other domains -- and still trick the 
recipient into thinking the message came from gmail. /Recipients are 
influenced by Subject: and the content of the Body quite a bit more than 
the From: field./ Especially the From: field address, since most users 
are now shown that address.  Hence classing the DMARC benefit as 
correlational, rather than inherent.

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker at mastodon.social