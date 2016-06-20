Home / Blogs

DMARC and Message Wrapping

  • Dec 20, 2016 10:51 AM PST
  • Comments: 0
  • Views: 750
Print Comment
By John Levine
John Levine

I have groused at length about the damage that anti-phishing technique DMARC does to e-mail discussion lists. For at least two years list managers and list software developers have been trying to figure out what to do about it. The group that brought us DMARC is working on an un-DMARC-ing scheme called ARC, which will likely help somewhat, but ARC isn't ready yet, and due to ARC's complexity, it's likely that there will be many medium or small mail systems that enforce DMARC and can't or won't use ARC.

The Internet Engineering Task Force, which writes technical standards for the Internet, works primarily through discussion lists, and the pain from DMARC has gotten to the point where we may do something about it. So we've been doing some experiments.

The DMARC problem is that mail sent through discussion lists is generally modified on the way through, most often with subject line tags or message footers, the modifications invalidate DKIM message signatures, and the invalid signature makes DMARC misidentify the list mail as phishes.

There are a lot of DMARC workarounds (summarized here,) all of which do some damage to the mail, but they damage the mail in different ways. Currently the most popular is to rewrite the From: line and replace the message author's address by the list's address. This satisfies DMARC since it keys on the From: line address, but it messes up lists since it makes it hard to tell who actually wrote a message, and even harder to send a private reply to the author.

Another less used option is to wrap the messages in outer messages as attachments. The outer message is created by the list software so it has no DMARC problems. The attached message is the original message, modified however the list software modified it, but since it's an attachment, DMARC doesn't care about it. List that send daily digests typically wrap messages in the same way, so you can think of this trick as turning every message into a one-message digest.

The good thing about message wrapping is that the wrapped message is exactly the one the list would have sent without DMARC. The bad thing is that user mail programs tend not to display wrapped messages very well. In the worse cases, the mail program doesn't know how to display the message/rfc822 MIME part containing the wrapped message and just shows a box or a download link. Sometimes it shows the message, but doesn't show the wrapped message's headers so you can't see the From: or Subject: to see who sent it or what it's about. Often if you can see the From:, you can't click on it, so there's no way to send a response to the author other than manually cutting and pasting the address into a new message. Or if there's a Reply-To header, sometimes the mail program follows it, sometimes not. (We get the impression that displaying wrapped messages has never been a priority among mail program developers.)

To find out how wrapped messages work in various mail programs, I've written a little message wrapping 'bot. You send a message to the bot, it wraps it a couple of ways and sends it back. The bot's addresses are:

  • wrap@dmarc.fail Send back wrapped versions with the message as the outer message's only MIME part.
  • wrapm@dmarc.fail Send back wrapped versions with two parts, a text introduction, and the original message.
  • wrapr@dmarc.fail Same as wrap, but add a Reply-To: header to the outer messages with the sender's address.
  • wrapmr@dmarc.fail Same as wrapm, but add a Reply-To: header to the outer messages with the sender's address.

Each message is returned twice, once where the outer message has a normal looking From: line with a throwaway return address, and one with an empty group address. If you only get one copy back, look in your spam folder for the group address, or on some systems, it just disappears since they (erroneously) reject the group address as bad syntax.

Don't send anything secret, since I keep copies of all the mail. The 'bot is heavily rate limited to deter abuse and accidental or deliberate mail loops.

We've checked all of the major webmail providers and some popular desktop mail programs like Apple Mail and Thunderbird, but reports on other mail programs, particularly on tablets and phones, would be useful. How legible are the messages? How hard is it to reply to the list address (in this case, wrap@dmarc.fail or whatever) or to the author (you)?

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Email

 
   
WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:
Print Comment

Comments

To post comments, please login or create an account.

Related Blogs

Interest in Cloud-Based Email Infrastructure Grows by 35% in 3rd Quarter of 2016

  • Oct 10, 2016
  • Comments: 0

Yahoo Collaborating With US Intelligence Agencies

  • Oct 05, 2016
  • Comments: 0

One-Click Unsubscription

  • Sep 30, 2016
  • Comments: 1

The Kindness of Strangers, or Not

  • Sep 20, 2016
  • Comments: 1

Trump's Fundraising Email - Bad Data Drives Delivery Problems

  • Jun 30, 2016
  • Comments: 0
View More

Related News

Encrypted Email Sign Ups Have Doubled Since Trump Victory, Says PortonMail

  • Nov 15, 2016
  • Comments: 0

NIST Publishes Guide for DNS-Based Email Security, Draft Open for Public Comments

  • Nov 02, 2016
  • Comments: 0

DNC Emails Hacked Using Fake Gmail Login Forms

  • Oct 17, 2016
  • Comments: 0

Massive Cyberattack Aimed at Flooding .Gov Email Inboxes With Subscription Requests

  • Aug 19, 2016
  • Comments: 0

Nearly 1 Million IP Addresses Used by Attackers on a Single Target

  • Jun 20, 2016
  • Comments: 0
View More

Explore Topics

Access ProvidersIPv6
BroadbandLaw
CensorshipMalware
Cloud ComputingMobile
CyberattackMultilinguism
CybercrimeNet Neutrality
CybersquattingP2P
Data CenterPolicy & Regulation
DNSPrivacy
DNS SecurityRegional Registries
Domain NamesRegistry Services
EmailSecurity
EnumSpam
ICANNTelecom
Intellectual PropertyTop-Level Domains
Internet GovernanceVoIP
Internet of ThingsWeb
Internet ProtocolWhite Space
IP AddressingWhois
IPTVWireless
View More

Industry Updates – Sponsored Posts

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

An Update on Port25 and the Future of PowerMTA - One Year Later​

Encrypting Inbound and Outbound Email Connections with PowerMTA

V12 Group Sustains Customer Satisfaction by Deploying PowerMTA for Launchpad Platform

PowerMTA Now Offers Scheduled Delivery Control

DKIM for ESPs: The Struggle of Living Up to the Ideal

Reactivation Campaign: Shared vs. Dedicated IPs

To Where are Bounce Messages Sent?

An Open Source Perspective on Commercial MTAs

Five Essential PowerMTA Configuration Tips

What's New With Port25's PowerMTA v4.5

New Feature in PowerMTA v4.5: IP Based Rate Limiting

Case Study: Emergency Response Systems Rely on Timely Messaging Through PowerMTA

Port25 Announces Next Major Release of Its Email Delivery Solution, PowerMTA

Case Study: How PowerMTA Transparent Deliverability Metrics Paves Way for Email Service Provider

Case Study: MailChimp Achieves Efficient Execution and Reliability with PowerMTA

Case Study: Emma Swaps Its SMTP Infrastructure for PowerMTA to Handle Growing Mail Volume

View More

Sponsored Topics

Port25

Email

Sponsored by
Port25
Verisign

Security

Sponsored by
Verisign
Afilias

DNS Security

Sponsored by
Afilias
Afilias - Mobile & Web Services

Mobile

Sponsored by
Afilias - Mobile & Web Services
View All Topics