Yahoo DMARC Implementation Breaks Most Mailing Lists

pdclarry writes: "On April 8, Yahoo implemented a new DMARC policy that essentially bars any Yahoo user from accessing mailing lists hosted anywhere except on Yahoo and Google. While Yahoo is the initiator, it also affects Comcast, AT&T, Rogers, SBCGlobal, and several other ISPs. Internet Engineering Council expert John R. Levine, a specialist in email infrastructure and spam filtering, said, 'Yahoo breaks every mailing list in the world including the IETF's' on the Internet Engineering Task Force (IETF) list.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a two-year-old proposed standard previously discussed on Slashdot that is intended to curb email abuse, including spoofing and phishing. Unfortunately, as implemented by Yahoo, it claims most mailing list users as collateral damage. Messages posted to mailing lists (including listserv, mailman, majordomo, etc) by Yahoo subscribers are blocked when the list forwards them to other Yahoo (and other participating ISPs) subscribers. List members not using Yahoo or its partners are not affected and will receive posts from Yahoo users. Posts from non-Yahoo users are delivered to Yahoo members. So essentially those suffering the most are Yahoo's (and Comcast's, and AT&T's, etc) own customers. The Hacker News has details about why DMARC has this effect on mailing lists. Their best proposed solution is to ban Yahoo email users from mailing lists and encourage them to switch to other ISPs. Unfortunately, it isn't just Yahoo, although they are getting the most attention."

Darmok and Jalad

[tylersoze]

DMARC and SMTP at Yahoo, mail broken.

SPF..

[Bert64]

Implementing SPF can also do the same thing, the issue is that mailing lists don't rewrite the from headers so despite having been forwarded through the mailing list server the original sender is still shown in the headers, only the mailing list server isnt really supposed to be sending mail *from* other people's addresses...

So either you allow mail to come from anywhere with any sender address, which lets mailing lists and email forwarding work fine but also makes spoofed spam very easy...
Or you don't, and break the above...

Really legit mailing lists should be rewriting the sender headers to reflect that the mail has been redelivered by the mailing list, the only difficulty this would cause is when users try to reply directly to messages rather than forwarding their replies to the list itself.

Re:SPF..

[Zocalo]

A better solution might be to move the original sender's "From" to another header ("Return-Path", "Reply-To", - whatever works best for the list software/admin) and set a new "From" to an address that would feed any replies to the list's submission/moderation queue. If the address of the person replying is on the mailing list or the list accepts any submission address, it goes into the normal queue for remailing, if not it either gets discarded as a bogus reply that is probably spam or goes into a moderation queue, depending on the list.

This is still an implementation flaw in the way DMARC and SPF work with mailing lists rather than a problem with mailing lists though, so the onus really belongs with DMARC and SPF to better provide a way to support mailing lists. Including a way to specify in the DMARC/SPF configuration for the that the sender is a mailing list and that they need to validate the original sender against a different header instead - "X-Originally-From", rather than the mailing list's domain in the current "From", perhaps?

Re:SPF..

[Obfuscant]

There really ought to be a better way to handle this.

RFC822 has been obsoleted at least twice now. The current standard (RFC5322) says this about the origination headers:

The originator fields indicate the mailbox(es) of the source of the message. The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message.

In other words, any mailing list that rewrites the From header field is wrong. It is also wrong for it to rewrite the Sender field, since the mailing list is not the "agent" responsible for the actual transmission of the message. It is only a transport agent, not an initiator. In the contextual history of RFC*22, the Sender is the person (secretary, e.g.) who sent the message when that person is not the author.

And, additionally: "In all cases, the 'From:' field SHOULD NOT contain any mailbox that does not belong to the author(s) of the message." While that's only a SHOULD not, it is still relevant and shows the intent of that header.

I've found the room full of horse droppings. I'm sure there's a pony around here somewhere. I'll let you ride him when I find him.

Re:But who uses Yahoo! mail?

[Jeremiah+Cornelius]

Microsoft does the same for Hotmail/Live/Outlook. They claim suspicious use of your account was detected, and that to return access to you, you must change password, with a supplied phone number for secondary account control.

Bullshit. I had this happen across 5 MS hosted mail accounts in the same week - each were purpose-specific accounts to legitimately isolate commercial activity.

Google? The bastards try to wheedle your mobile number out of you at every PW change or update. They practically hide the UI to bypass this request.

Needles to say, all three are used only as "burner" addresses, now.

Re:Am I understanding this correctly?

[pdclarry]

It's not blocking relayed mail in the usual sense. Most mailing lists use the original poster's email address as the FROM field so everyone on the list knows who posted the message. The SENDER field contains the actual list address. And that should match the sending server's IP address. So reverse DNS and SPF (and DKIM if enabled) will validate the SENDER as the list server software. The REPLY TO will be either the list or the original poster, depending on list policy. DMARC requires that the FROM field also match the sending server, and ignores SPF and DKIM.

Re:But who uses Yahoo! mail?

[Adrian+Harvey]

Their best proposed solution is to ban Yahoo email users from mailing lists and encourage them to switch to other ISPs

What the #%^+? Since when is Yahoo an ISP?

Several ISPs outsource their customer email service to Yahoo. If you're with one of those, and especially if you use your ISP provided email address, then moving would fix it (or just move to gmail/outlook.com/whatever, you're mail is in the cloud now anyway, since your ISP moved it there)

Re:But who uses Yahoo! mail?

[wulfhere]

I don't know if they still do, but AT&T DSL customers used Yahoo mail as recently as last year.

Re:Back when the Internet Mail Consortium was a th

[pdclarry]

The thing to do here is to fix the MLM software to use the correct additional headers, rather than rewriting the headers the DMARC policy feels are important; in addition, this would allow the DMARC policy to "whitelist" based on the attached headers, assuming everything else wasn't a black mark, and avoid the "greylisting" that would happen ordinarily with most SPAM filtering systems in "medium posture" rather than "low posture" (i.e. the ones that have the concept of "suspect email" as a middle ground).

I think you will find that most MLM software uses correct additional headers. At least listserv and mailman (for the lists that I manage) do. We've been playing nicely with ISPs for years on our lists, we create no spam (once we fixed the bounceback spam problem 3 years ago) and generally are among the more well-behaved email users around. The problem is that Yahoo's implementation of DMARC is not using the additional headers. All it looks at is From.