|
Next revision
|
Previous revision
|
dmarc [2020/12/13 17:25]
staff created |
dmarc [2023/10/26 20:49]
staff |
| ===== Background ===== | ===== Background ===== |
| |
| [[https://dmarc.org/|DMARC]] is a standard used to prevent senders from using a From address without being properly authorized to do so. What this means for mailing list senders like FreeLists is that we can't use your address in the From: header -- this is the default and generally how mailing lists work -- for domains who have a DMARC policy that indicates mail should be rejected if it fails DMARC checks. | [[https://dmarc.org/|DMARC]] is a standard used to prevent senders from using a From address without being properly authorized to do so. What this means for mailing list senders like FreeLists is that we can't use your address in the ''From:'' header -- this is the default and generally how mailing lists work -- for domains who have a DMARC policy that indicates mail should be rejected if it fails DMARC checks. |
| |
| DMARC puts FreeLists in a difficult position: We're essentially required to sign/authenticate mail we're sending on your behalf with SPF and DKIM to ensure deliverability, yet for ease of use we want to maintain the original From: header so subscribers know who sent the message. DMARC prevents the combination of these conditions. | DMARC puts FreeLists in a difficult position: We're essentially required to sign/authenticate mail we're sending on your behalf with SPF and DKIM to ensure deliverability, yet for ease of use we want to maintain the original ''From:'' header so subscribers know who sent the message. DMARC prevents the combination of these conditions. |
| |
| ==== Official Remedies ==== | ===== Official Remedies ===== |
| |
| DMARC itself offers some solutions: | DMARC itself offers some solutions: |
| [[https://dmarc.org/wiki/FAQ#senders|I operate a mailing list and I want to interoperate with DMARC, what should I do?]] | [[https://dmarc.org/wiki/FAQ#senders|I operate a mailing list and I want to interoperate with DMARC, what should I do?]] |
| |
| Section 3 off their guidance offers the only viable set of options -- we somehow have to replace the From: address with something else -- so that's what we'll discuss next. (Depending on your list's configuration one of "A," "B," or "C" apply.) | Section 3 off their guidance offers the only viable set of options -- we somehow have to replace the ''From:'' address with something else -- so that's what we'll discuss next. (Depending on your list's configuration one of "A," "B," or "C" apply.) |
| |
| === How FreeLists Handles DMARC === | ===== How FreeLists Handles DMARC ===== |
| |
| First, FreeLists detects domains that publish reject policy DMARC records. If your domain doesn't participate in DMARC or publishes a DMARC policy that isn't junk or reject, we take no action. | First, FreeLists detects domains that publish reject policy DMARC records. If your domain doesn't participate in DMARC or publishes a DMARC policy that isn't junk or reject, we take no action. |
| |
| Second, if necessary, FreeLists modifies the From: header of the post to your mailing list. We replace ''user@domain.com'' with ''dmarc-noreply@freelists.org'' and move other bits of the From: header to the comment section (if made available by the sender) to improve usability. | Second, if necessary, FreeLists modifies the ''From:'' header of the post to your mailing list. We replace ''user@domain.com'' with ''dmarc-noreply@freelists.org'' and move other bits of the ''From:'' header to the comment section (if made available by the sender) to improve usability. |
| |
| If your subscriber's domain uses DMARC and the From: header was originally: | If your subscriber's domain uses DMARC and the ''From:'' header was originally: |
| |
| ''From: Jane Doe <jdoe@baddomain.com>'' | <code> |
| | From: Jane Doe <jdoe@baddomain.com> |
| | </code> |
| |
| We'll replace that with: | We'll replace that with: |
| |
| ''From: "Jane Doe" <dmarc-noreply@freelists.org> (Redacted sender "jdoe" for DMARC)'' | <code> |
| | From: "Jane Doe" <dmarc-noreply@freelists.org> (Redacted sender "Jane Doe" for DMARC) |
| | </code> |
| |
| This allows other subscribers on the list to get the best available understanding of who the message came from while complying with DMARC. //The exact format of this header is subject to change as we strive to improve usability.// | This allows other subscribers on the list to get the best available understanding of who the message came from while complying with DMARC. //The exact format of this header is subject to change as we strive to improve usability.// |
| |
| == Improving usability == | === Improving usability === |
| |
| Notice how we form the From: header. To improve usability it's important for your subscribers to put their name (it doesn't have to be their real name!) into the From: header in their email client. | Notice how we form the ''From:'' header. To improve usability it's important for your subscribers to put their name (it doesn't have to be their real name!) into the ''From:'' header in their email client. |
| |
| == Big domains and DMARC == | We do our best to maintain the Reply-to: header. If your list uses the ''reply-to-sender'' setting the original sender should be copied here so replies go back to the expected source. |
| | |
| | We add a ''X-original-sender:'' header that contains the original sender. While list subscribers can see this if they go looking at a message's full headers this is mostly intended for list admin troubleshooting. |
| | |
| | === Big domains and DMARC === |
| |
| Unfortunately the Yahoo/Verizon/AOL/Comcast email conglomerate uses DMARC, affecting a vast swath of FreeLists subscribers. Notably though Gmail does not. | Unfortunately the Yahoo/Verizon/AOL/Comcast email conglomerate uses DMARC, affecting a vast swath of FreeLists subscribers. Notably though Gmail does not. |
| The following domains don't use DMARC correctly or have incorrect DMARC-like email implementations that force us to employ the DMARC workaround anyway: micron.com, sbcglobal.net, rogers.com, sky.com, ymail.com, btinternet.com, handsonsa.org, mail.ru, and cisa.dhs.gov. | The following domains don't use DMARC correctly or have incorrect DMARC-like email implementations that force us to employ the DMARC workaround anyway: micron.com, sbcglobal.net, rogers.com, sky.com, ymail.com, btinternet.com, handsonsa.org, mail.ru, and cisa.dhs.gov. |
| |
| == Implementation notes == | === Implementation notes === |
| |
| Don't change your ''union-lists'' setting or if you do, be very careful. Our DMARC protection works due to a feature of FreeLists known as ''union-lists'' where subscribers of another list are allowed to post on your list but don't receive its posts. | Don't change your ''union-lists'' setting or if you do, be very careful. Our DMARC protection works due to a feature of FreeLists known as ''union-lists'' where subscribers of another list are allowed to post on your list but don't receive its posts. |
| |
| If the person posting to your list is from a DMARC domain //and isn't a subscriber// we'll change the address to ''dmarc-noreply-outsider@freelists.org'' in the message to list admins requesting approval to post. | If the person posting to your list is from a DMARC domain //and isn't a subscriber// we'll change the address to ''dmarc-noreply-outsider@freelists.org'' in the message to list admins requesting approval to post. |
| |
| |
| |
| |
