Page MenuHomePhabricator
Create Task
Maniphest T168467

Improve lists.wikimedia.org DMARC compatibility
Closed, ResolvedPublic
Actions

Description

There were a few previous issues discussing DMARC and mailing lists. Creating a new issue to capture current state and propose a DMARC compatible default setting for lists.wikimedia.org. Will try to include related issues, apologies in advance if I miss any.

Our current mailman version (2.1.18) supports DMARC sender filters which can conditionally modify a message for re-mailing in a DMARC compatible way. This can improve deliverability of messages from users of lists.wikimedia.org who have strict DMARC policies set by their email provider. However, these appear to be largely disabled today (although they can be optionally enabled by list admins on a per-list basis).

Proposing a setting of DEFAULT_DMARC_MODERATION_ACTION=1 (Munge From). This would by default rewrite (Munge) the From: header with the posters name 'via the list' and the list's address and merge the poster's address into Reply-To: for messages whose original From: domain publishes a DMARC policy of p=reject or p=quarantine. Additional options are outlined in detail at https://wiki.list.org/DEV/DMARC

Pros

  • Improve message delivery for lists.wikimedia.org users sending from DMARC enabled addresses.
  • Only modify messages that may have delivery issues if unmodified.
  • List administrators could still choose a different setting (as long as it has a higher value).

Cons

  • Additional overhead (DNS lookups, rewrites)
  • Change in behavior. Users may wonder why sender addresses and reply-to are different.
  • Inconsistent behavior. Depending on DMARC policy some messages would be from the original sender address, others from the list address.

Details

SubjectRepoBranchLines +/-
Change mailman DEFAULT_DMARC_MODERATION_ACTION to 1 (munge from)operations/puppetproduction+12 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

herron created this task.Jun 20 2017, 8:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 20 2017, 8:23 PM
herron added parent tasks: T66818: Mitigate strict DMARC policy on the mailing lists, Restricted Task, T121744: Mailing list emails bouncing due to DMARC policy violation, T58414: Get mail relay out of Yahoo! blacklist: apply to Yahoo for whitelisting bulk mail.Jun 20 2017, 8:33 PM
Nemo_bis subscribed.Jun 27 2017, 1:51 PM

The proposal is sensible.

Change in behavior. Users may wonder why sender addresses and reply-to are different.

Having a "false" From is extremely ugly: on the mailing lists I follow where the admins decided to rewrite the From headers, it's practically impossible to understand who said what in a conversation.

On the other hand this is a big advantage if applied to all lists which currently rewrite the From header unconditionally:

Only modify messages that may have delivery issues if unmodified.

Will you take care of updating the configuration on those lists (or at least warn their admins)?

gerritbot subscribed.Jun 27 2017, 4:07 PM

Change 361685 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] Change mailman DEFAULT_DMARC_MODERATION_ACTION to 1 (munge from)

https://gerrit.wikimedia.org/r/361685

gerritbot added a project: Patch-For-Review.Jun 27 2017, 4:07 PM
herron added a comment.Jun 27 2017, 5:02 PM

Having a "false" From is extremely ugly: on the mailing lists I follow where the admins decided to rewrite the From headers, it's practically impossible to understand who said what in a conversation. On the other hand this is a big advantage if applied to all lists which currently rewrite the From header unconditionally:

I agree. However, the proposed mailman setting would only "munge from" on senders with DMARC policies that would otherwise cause their mail to be dropped or flagged (p=reject or p=quarantine). It would be a tradeoff: false from address for more reliable delivery.

Will you take care of updating the configuration on those lists (or at least warn their admins)?

I've submitted a patch to make this the system wide default (https://gerrit.wikimedia.org/r/#/c/361685/) and was planning to give listadmins@ advance notice before (and if) merging. Are there other stakeholders who should be notified?

Nemo_bis added a comment.Jun 29 2017, 10:41 AM
In T168467#3383345, @herron wrote:

I've submitted a patch to make this the system wide default (https://gerrit.wikimedia.org/r/#/c/361685/) and was planning to give listadmins@ advance notice before (and if) merging. Are there other stakeholders who should be notified?

It would be nice to list the lists which currently munge the From and write to the corresponding -owner addresses. Few people use listadmins@. Thanks.

RobH moved this task from Backlog to Shell/site on the Wikimedia-Mailing-lists board.Jul 7 2017, 3:00 PM
herron moved this task from Backlog to Up Next on the Mail board.Jul 7 2017, 3:17 PM
Seb35 subscribed.Jul 18 2017, 8:21 PM

Recently a sender with a yahoo.fr address sent an email on the list wikimediafr ∂ lists.wikimedia.org (newly created) and Mailman unsubscribed many addresses (mostly gmail.com I think) because Gmail rejected the message (because of Yahoo DMARC policy). See this message in French from the moderator. The moderators just changed the DMARC behaviour to "Munge From".

Wikimédia France’s mailing list server had enabled a similar feature as “DEFAULT_DMARC_MODERATION_ACTION = 1” long time ago and it worked well; I dislike this feature but it’s better than non-delivery. The mailing list software is not Mailman but Sympa, but the feature is the same (=rewrite From headers when the sender is DMARC-strict).

Seb35 mentioned this in T146841: Reach out to Google about @yahoo.com emails not reaching gmail inboxes (when sent to mailing lists).Jul 18 2017, 8:34 PM
gerritbot added a comment.Aug 1 2017, 1:44 PM

Change 361685 merged by Herron:
[operations/puppet@production] Change mailman DEFAULT_DMARC_MODERATION_ACTION to 1 (munge from)

https://gerrit.wikimedia.org/r/361685

herron added a comment.Aug 1 2017, 1:53 PM

The DEFAULT_DMARC_MODERATION_ACTION=1 (Munge From) setting has been deployed to lists.wikimedia.org.

Additional information can be found at https://wikitech.wikimedia.org/wiki/Mailman#DMARC_Compatibility

herron triaged this task as Medium priority.Aug 1 2017, 1:54 PM
herron removed a project: Patch-For-Review.
herron moved this task from Up Next to In Progress on the Mail board.
herron closed this task as Resolved.Aug 2 2017, 3:00 PM
herron moved this task from In Progress to Done on the Mail board.Aug 2 2017, 5:22 PM
Dzahn subscribed.Nov 2 2017, 11:48 AM

Did this ticket also resolve/decline T146841 ?

revi mentioned this in T379517: Further improve DMARC compatibility on lists.wikimedia.org.Nov 11 2024, 6:16 AM
Maintenance_bot added a project: SRE.Nov 11 2024, 6:29 AM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptNov 11 2024, 6:29 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits