Page MenuHomePhabricator

Improve lists.wikimedia.org DMARC compatibility
Closed, ResolvedPublic

Description

There were a few previous issues discussing DMARC and mailing lists. Creating a new issue to capture current state and propose a DMARC compatible default setting for lists.wikimedia.org. Will try to include related issues, apologies in advance if I miss any.

Our current mailman version (2.1.18) supports DMARC sender filters which can conditionally modify a message for re-mailing in a DMARC compatible way. This can improve deliverability of messages from users of lists.wikimedia.org who have strict DMARC policies set by their email provider. However, these appear to be largely disabled today (although they can be optionally enabled by list admins on a per-list basis).

Proposing a setting of DEFAULT_DMARC_MODERATION_ACTION=1 (Munge From). This would by default rewrite (Munge) the From: header with the posters name 'via the list' and the list's address and merge the poster's address into Reply-To: for messages whose original From: domain publishes a DMARC policy of p=reject or p=quarantine. Additional options are outlined in detail at https://wiki.list.org/DEV/DMARC

Pros

  • Improve message delivery for lists.wikimedia.org users sending from DMARC enabled addresses.
  • Only modify messages that may have delivery issues if unmodified.
  • List administrators could still choose a different setting (as long as it has a higher value).

Cons

  • Additional overhead (DNS lookups, rewrites)
  • Change in behavior. Users may wonder why sender addresses and reply-to are different.
  • Inconsistent behavior. Depending on DMARC policy some messages would be from the original sender address, others from the list address.

Details

Related Gerrit Patches:

Event Timeline

herron created this task.Jun 20 2017, 8:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 20 2017, 8:23 PM

The proposal is sensible.

Change in behavior. Users may wonder why sender addresses and reply-to are different.

Having a "false" From is extremely ugly: on the mailing lists I follow where the admins decided to rewrite the From headers, it's practically impossible to understand who said what in a conversation.

On the other hand this is a big advantage if applied to all lists which currently rewrite the From header unconditionally:

Only modify messages that may have delivery issues if unmodified.

Will you take care of updating the configuration on those lists (or at least warn their admins)?

Change 361685 had a related patch set uploaded (by Herron; owner: Herron):
[operations/puppet@production] Change mailman DEFAULT_DMARC_MODERATION_ACTION to 1 (munge from)

https://gerrit.wikimedia.org/r/361685

Having a "false" From is extremely ugly: on the mailing lists I follow where the admins decided to rewrite the From headers, it's practically impossible to understand who said what in a conversation. On the other hand this is a big advantage if applied to all lists which currently rewrite the From header unconditionally:

I agree. However, the proposed mailman setting would only "munge from" on senders with DMARC policies that would otherwise cause their mail to be dropped or flagged (p=reject or p=quarantine). It would be a tradeoff: false from address for more reliable delivery.

Will you take care of updating the configuration on those lists (or at least warn their admins)?

I've submitted a patch to make this the system wide default (https://gerrit.wikimedia.org/r/#/c/361685/) and was planning to give listadmins@ advance notice before (and if) merging. Are there other stakeholders who should be notified?

I've submitted a patch to make this the system wide default (https://gerrit.wikimedia.org/r/#/c/361685/) and was planning to give listadmins@ advance notice before (and if) merging. Are there other stakeholders who should be notified?

It would be nice to list the lists which currently munge the From and write to the corresponding -owner addresses. Few people use listadmins@. Thanks.

herron moved this task from Backlog to Up Next on the Mail board.Jul 7 2017, 3:17 PM
Seb35 added a subscriber: Seb35.Jul 18 2017, 8:21 PM

Recently a sender with a yahoo.fr address sent an email on the list wikimediafr ∂ lists.wikimedia.org (newly created) and Mailman unsubscribed many addresses (mostly gmail.com I think) because Gmail rejected the message (because of Yahoo DMARC policy). See this message in French from the moderator. The moderators just changed the DMARC behaviour to "Munge From".

Wikimédia France’s mailing list server had enabled a similar feature as “DEFAULT_DMARC_MODERATION_ACTION = 1” long time ago and it worked well; I dislike this feature but it’s better than non-delivery. The mailing list software is not Mailman but Sympa, but the feature is the same (=rewrite From headers when the sender is DMARC-strict).

Change 361685 merged by Herron:
[operations/puppet@production] Change mailman DEFAULT_DMARC_MODERATION_ACTION to 1 (munge from)

https://gerrit.wikimedia.org/r/361685

herron added a comment.Aug 1 2017, 1:53 PM

The DEFAULT_DMARC_MODERATION_ACTION=1 (Munge From) setting has been deployed to lists.wikimedia.org.

Additional information can be found at https://wikitech.wikimedia.org/wiki/Mailman#DMARC_Compatibility

herron triaged this task as Medium priority.Aug 1 2017, 1:54 PM
herron removed a project: Patch-For-Review.
herron moved this task from Up Next to In Progress on the Mail board.
herron closed this task as Resolved.Aug 2 2017, 3:00 PM
herron moved this task from In Progress to Done on the Mail board.Aug 2 2017, 5:22 PM
Dzahn added a subscriber: Dzahn.Nov 2 2017, 11:48 AM

Did this ticket also resolve/decline T146841 ?