Mailing List Archive

NANOG List posts and DMARC
Can someone flip the option in Mailman for DMARC please, it’s problematic as if one posts and does DMARC and has feedback on, our messages are possibly rejected, and the feedback from a post is quite large.

Not sure who manages it anymore these days.

- Jared
Re: NANOG List posts and DMARC [ In reply to ]
Once upon a time, Jared Mauch <jared@puck.nether.net> said:
> Can someone flip the option in Mailman for DMARC please, it’s problematic as if one posts and does DMARC and has feedback on, our messages are possibly rejected, and the feedback from a post is quite large.

The list is doing the DMARC handling (From rewrite) for senders with a
DMARC p=reject.
--
Chris Adams <cma@cmadams.net>
Re: NANOG List posts and DMARC [ In reply to ]
Once upon a time, Chris Adams <cma@cmadams.net> said:
> Once upon a time, Jared Mauch <jared@puck.nether.net> said:
> > Can someone flip the option in Mailman for DMARC please, it’s problematic as if one posts and does DMARC and has feedback on, our messages are possibly rejected, and the feedback from a post is quite large.
>
> The list is doing the DMARC handling (From rewrite) for senders with a
> DMARC p=reject.

Oh, or someone just changed the config per your request. :) I have
p=none but my From got rewritten on this message.
--
Chris Adams <cma@cmadams.net>
Re: NANOG List posts and DMARC [ In reply to ]
On 8/2/22 11:18 AM, Chris Adams via NANOG wrote:
> Once upon a time, Chris Adams <cma@cmadams.net> said:
>> Once upon a time, Jared Mauch <jared@puck.nether.net> said:
>>> Can someone flip the option in Mailman for DMARC please, it’s problematic as if one posts and does DMARC and has feedback on, our messages are possibly rejected, and the feedback from a post is quite large.
>> The list is doing the DMARC handling (From rewrite) for senders with a
>> DMARC p=reject.
> Oh, or someone just changed the config per your request. :) I have
> p=none but my From got rewritten on this message.

I think it's been doing this for ages. It was the first time I'd seen
From rewriting in the wild iirc.

I'm not understanding what problem Jared is talking about.

Mike
Re: NANOG List posts and DMARC [ In reply to ]
On Tue, 2022-08-02 at 11:24 -0700, Michael Thomas via NANOG wrote:
> On 8/2/22 11:18 AM, Chris Adams via NANOG wrote:
> > Once upon a time, Chris Adams <cma@cmadams.net> said:
> > > Once upon a time, Jared Mauch <jared@puck.nether.net> said:
> > > > Can someone flip the option in Mailman for DMARC please, it’s problematic as if one posts and does DMARC and has feedback on, our messages are possibly rejected, and the feedback from a post is quite large.
> > > The list is doing the DMARC handling (From rewrite) for senders with a
> > > DMARC p=reject.
> > Oh, or someone just changed the config per your request. :) I have
> > p=none but my From got rewritten on this message.
>
> I think it's been doing this for ages. It was the first time I'd seen
>  From rewriting in the wild iirc.

It's been doing it for ages for p=reject, but not p=none (the latter
being Jared's situation)

There are toggles in MM2 to do DMARC address rewriting for p=none and
p=quarantine in addition to p=reject.

-Jim P.
Re: NANOG List posts and DMARC [ In reply to ]
On 8/2/22 12:30 PM, Jim Popovitch via NANOG wrote:
> On Tue, 2022-08-02 at 11:24 -0700, Michael Thomas via NANOG wrote:
>> On 8/2/22 11:18 AM, Chris Adams via NANOG wrote:
>>> Once upon a time, Chris Adams <cma@cmadams.net> said:
>>>> Once upon a time, Jared Mauch <jared@puck.nether.net> said:
>>>>> Can someone flip the option in Mailman for DMARC please, it’s problematic as if one posts and does DMARC and has feedback on, our messages are possibly rejected, and the feedback from a post is quite large.
>>>> The list is doing the DMARC handling (From rewrite) for senders with a
>>>> DMARC p=reject.
>>> Oh, or someone just changed the config per your request. :) I have
>>> p=none but my From got rewritten on this message.
>> I think it's been doing this for ages. It was the first time I'd seen
>>  From rewriting in the wild iirc.
> It's been doing it for ages for p=reject, but not p=none (the latter
> being Jared's situation)
>
> There are toggles in MM2 to do DMARC address rewriting for p=none and
> p=quarantine in addition to p=reject.
>
I'm sort of surprised that an org would have p=reject when its users use
outside mailing lists. Most mailing lists probably don't even have From
rewriting or the mailing list operator is clueless about the problem.
(think: non-technical mailing lists).

Mike
Re: NANOG List posts and DMARC [ In reply to ]
It appears that Michael Thomas via NANOG <mike@mtcc.com> said:
>
>On 8/2/22 12:30 PM, Jim Popovitch via NANOG wrote:
>> It's been doing it for ages for p=reject, but not p=none (the latter
>> being Jared's situation)

I don't understand Jared's concern. His DMARC policy, like mine, is p=none
which tells receivers to do nothing DMARC-y with our messages. I don't get
any sort of blowback from nanog posts that I can recall seeing.

>I'm sort of surprised that an org would have p=reject when its users use
>outside mailing lists.

Unfortunately, we lost that battle a long time ago. It's "more secure" and
"best practice" so go away.

R's,
John
Re: NANOG List posts and DMARC [ In reply to ]
> On Aug 2, 2022, at 4:31 PM, John Levine via NANOG <nanog@nanog.org> wrote:
>
> It appears that Michael Thomas via NANOG <mike@mtcc.com> said:
>>
>> On 8/2/22 12:30 PM, Jim Popovitch via NANOG wrote:
>>> It's been doing it for ages for p=reject, but not p=none (the latter
>>> being Jared's situation)
>
> I don't understand Jared's concern. His DMARC policy, like mine, is p=none
> which tells receivers to do nothing DMARC-y with our messages. I don't get
> any sort of blowback from nanog posts that I can recall seeing.
>
>> I'm sort of surprised that an org would have p=reject when its users use
>> outside mailing lists.
>
> Unfortunately, we lost that battle a long time ago. It's "more secure" and
> "best practice" so go away.


Much like inline replies v top-posting and etc..

I did manage to get someone to flip the setting so hopefully I’m not getting a lot of bounce back from this e-mail.

Thanks to the kind soul who flipped the setting.

- jared
Re: NANOG List posts and DMARC [ In reply to ]
It appears that Jared Mauch <jared@puck.nether.net> said:
>Can someone flip the option in Mailman for DMARC please, it’s problematic as if one posts and does DMARC and has feedback on, our
>messages are possibly rejected, and the feedback from a post is quite large.

I checked with Jared and he seems to misunderstand the meaning of the
DMARC failure reports he is getting. (I get them too, lots of them,
and file and ignore them.) They do not indicate any sort of delivery
problem.

Please do *not* change the DMARC settings for p=none since it degrades
the list mail and makes it much harder to tell who is sending each
message and who to reply to.

R's,
John
Re: NANOG List posts and DMARC [ In reply to ]
On 8/2/22 1:16 PM, Jared Mauch wrote:
> Can someone flip the option in Mailman for DMARC please, it’s problematic as if one posts and does DMARC and has feedback on, our messages are possibly rejected, and the feedback from a post is quite large.
>
> Not sure who manages it anymore these days.

You can reach the admin at admins@nanog.org. The nanog-owner@nanog.org goes
there too, so there's practically no reason to go on list with such things.

The list is configured to wrap anyone posting from a domain with a with a
DMARC Reject/Quarantine Policy (dmarc_moderation_action). If you don't have
this set on your domain, the list will not wrap your message (which is the
correct behavior as it breaks other things).

Hit up the admin team and we'll look at it.
--
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net
Re: NANOG List posts and DMARC [ In reply to ]
Once upon a time, Bryan Fields <Bryan@bryanfields.net> said:
> The list is configured to wrap anyone posting from a domain with a with a
> DMARC Reject/Quarantine Policy (dmarc_moderation_action). If you don't have
> this set on your domain, the list will not wrap your message (which is the
> correct behavior as it breaks other things).

That is not the case right now; it appears to be modifying ALL senders
since earlier today (about 12:20pm CDT) . Your message has "From: Bryan
Fields via NANOG <nanog@nanog.org>" even though you have no DMARC record
at all.

--
Chris Adams <cma@cmadams.net>
Re: NANOG List posts and DMARC [ In reply to ]
On 8/2/22 8:46 PM, Chris Adams via NANOG wrote:
> Once upon a time, Bryan Fields <Bryan@bryanfields.net> said:
>> The list is configured to wrap anyone posting from a domain with a with a
>> DMARC Reject/Quarantine Policy (dmarc_moderation_action). If you don't have
>> this set on your domain, the list will not wrap your message (which is the
>> correct behavior as it breaks other things).
> That is not the case right now; it appears to be modifying ALL senders
> since earlier today (about 12:20pm CDT) . Your message has "From: Bryan
> Fields via NANOG <nanog@nanog.org>" even though you have no DMARC record
> at all.


Yes, I'm trying to get to the bottom of what if anything happened with the
admin team.

This is really broken at this point as munging from breaks DKIM signing if
present in the original email.
--
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net