A fourth option for solving the problem of DMARC’s incompatibility with mailing lists – Part 3
We’ve looked at three options for solving the problem of mailing lists who have problems delivering email for domains that publish p=reject. None of the solutions are great. What else is there?
4. Play around with the From: address, or maybe even the Sender: and Reply-To: fields, to make it not fail DMARC
Another way to avoid failing DMARC is to fiddle around with the original message so that when it is relayed, it doesn’t fail DMARC.
One way is for the mailing list to set the Reply-To header with the original From address, and replace the original From address with the mailing lists’s address:
SMTP MAIL FROM: tzink@myPersonalDomain.com
DKIM-Signature: v=1; a=rsa-sha2; c=relaxed/relaxed; s=s2048;
d=myPersonalDomain.com
h=From:To:Subject:MIME-Version;
bh=<body hash #1>
b=<signature #1>
From: Terry Zink <tzink@myPersonalDomain.com>
To: Washington Magicians <washingtonMagicians@mailingList.org>
Subject: Hi, I’m new here. Any good places to perform?
And relay it like this:
SMTP MAIL FROM: washingtonmagicians@mailinglist.com
DKIM-Signature: v=1; a=rsa-sha2; c=relaxed/relaxed; s=mailer;
d=mailinglist.org
h=From:To:Subject:MIME-Version;
bh=<body hash #2>
b=<signature #2>
From: Washington Magicians <washingtonMagicians@mailingList.org>
To: Washington Magicians <washingtonMagicians@mailingList.org>
Reply-To: Terry Zink <tzink@myPersonalDomain.com>
Subject: [Washington Magicians] Hi, I’m new here. Any good places to perform?
List-Subscribe: https://washingtonmagicians.mailinglist.org
List-Post: washingtonmagicians\@mailinglist.org
List-ID: Washington Magicians
The advantage of doing it this way is that the mailing list can modify the content to its heart’s content. In this example, it added headers (which is always fine), modified the Subject and appended a footer and DKIM signs the entire message. Because the DMARC check is done on the new From: address, and the new From: address aligns with the domain that passed SPF and DKIM, DMARC passes.
But the new From: address is the mailing list, not the original sender. When anyone else replies to the list, the reply goes to the Reply-To field and not the From address. Or does it? It depends on what email client you are using. Microsoft Outlook may do it differently than the native iOS mail client which may do it different than Outlook for Mac.
This can be annoying. Another participant wants to reply to the list and instead of replying to everyone on the list, they reply to (get it?) the original sender directly instead of the original sender and the rest of the list. If you hit Reply All, you’ll expect to everyone (original From + the To which is the mailing list). But, your mail client may just include the Reply-To in which case you have to add the list manually.
But at least it passes DMARC.
Another way is to fiddle with the Sender: header. This is pretty much the same as the above except that instead of putting the original sender in the Reply-To, they are put into the Sender field:
SMTP MAIL FROM: washingtonmagicians@mailinglist.com
DKIM-Signature: v=1; a=rsa-sha2; c=relaxed/relaxed; s=mailer;
d=mailinglist.org
h=From:To:Subject:MIME-Version;
bh=<body hash #2>
b=<signature #2>
From: Washington Magicians <washingtonMagicians@mailingList.org>
To: Washington Magicians <washingtonMagicians@mailingList.org>
Sender: Terry Zink <tzink@myPersonalDomain.com>
Subject: [Washington Magicians] Hi, I’m new here. Any good places to perform?
List-Subscribe: https://washingtonmagicians.mailinglist.org
List-Post: washingtonmagicians\@mailinglist.org
List-ID: Washington Magicians
Once again, DMARC passes. And unlike the Reply-To trick, the reply does go to the From: address which is the entire mailing list. So that’s not bad. But most email clients other than Microsoft’s Outlook desktop client don’t even show you the Sender. For the above message, here’s how it looks:
Email client | Display in the reading pane |
Hotmail/outlook.com web client | Washington Magicians |
Gmail web client | Washington Magicians |
Outlook desktop | Terry Zink on behalf of Washington Magicians |
This suffers from a lack of clarity when the user reads it. In the case of Hotmail/outlook.com or Gmail, it tricks the user into think it was “Washington Magicians" that sent the message, but it’s not; it’s me (Terry Zink). This isn’t shown anywhere in the list view or the reading pane in two common web mail providers. It looks like the message is From the discussion list (which is correct) but doesn’t show the true author of the message (which is me).
For Outlook desktop, it does show the true author of the message but it has it backwards – it says me on behalf of Washington Magicians. That’s wrong, it’s actually Washington Magicians who are relaying the message on my behalf. If I sent the message, then I should be in the From: address. The intermediary is Sender:, not the From:.
Some mailing lists even do the following:
From: “'Terry Zink’ via Washington-Magicians” <washingtonMagicians@mailingList.org>
X-Original-From: Terry Zink <tzink@myPersonalDomain.com>
This is yet another way of playing around with the From: address. It shows who the original sender by displaying the Friendly From and that it was sent via the name of the mailing list, and pushes the original from address into the aptly named X-Original-From.
The problem with this solution is that most mail clients could care less about the X-Original-From, and the formatting of the From address – at least in Outlook desktop – is incorrect. It shows only the name of the mailing list <washingtonMagicians@mailingList.org> in the Reading Pane (but the list view is correct). In other words, it confuses email clients. Sometimes it works, sometimes it doesn’t.
So, while playing around with the From address works (i.e., gets around DMARC p=reject), the way the email is displayed to the end user is not all that clear. Either the reply-to-email experience is “off”, or the way the message is shown to the end user is off.
Furthermore, everyone in the mailing list gets the same From: email address. Is that really what we want? Email clients aren’t all going to update do show the correct thing, Apple does something different than Microsoft who does something different in Mozilla Thunderbird who does something different than Google (in Gmail and the native Android email app). Are we going to get all of these email client providers to update their software and get users to update their versions?
Almost definitely not.
Finally, there are some people that are philosophically opposed to rewriting the From: address in any way (you know who you are). The message that was sent should have the same From: address that is relayed to the rest of the group. If you fall into that camp, then all of this From: tweaking won't work for you.
From my point of view, From: rewriting is probably good enough in some cases but does suffer from the email rendering shortfalls.
=======================
So, what else is there?
Related articles in this series:
- Solving the problem of DMARC’s incompatibility with mailing lists – Part 1
- Three options for solving the problem of DMARC’s incompatibility with mailing lists – Part 2
- A fourth option for solving the problem of DMARC’s incompatibility with mailing lists – Part 3
Comments
Anonymous
May 29, 2015
This also sounds like something phishers would love: take an existing Paypal message, change links and rewrite From the way you describe.Anonymous
June 09, 2015
I've got a somewhat unrelated question, that only occurred to me when reading this blog, with regards to S/MIME in Exchange Online Advanced Threat Protection. The new 'Safe Links' feature prepends all hyperlinks in an email with a Microsoft URL which in turn transparently redirects to the destination URL if there is no reported malware. Would Safe Links still exhibit this behaviour (i.e. prepend the URL) if the message is signed by S/MIME? If so it would break the digital signature. Presuming that the link WAS prepended would the server wrap the original (signed) email in a separate envelope?Anonymous
June 14, 2015
@Ben: S/MIME messages are not rewritten.Anonymous
April 11, 2016
According to RFC2822, section 3.6.2: The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message.I take this as meaning that the mailing-list address should be set as the "Sender",and the original author as "From".This makes Outlook's (and others) display of on behalf of correct.