DMARC and you (with bonus story on mailing lists)
So you’ve seen a couple of announcements about the lab’s setting “DMARC” policy on outgoing mail. If you’re a mail wonk, you get it. If you’re not, and I’m sure most of you aren’t, I’m going to explain a few things about it and what it means to you. I’m really trying to remove as much of the tech jargon as I can, because it helps to understand the process a little better. This is a dry topic, I know. I’ll do what I can to assuage the boredom. And with that, let’s begin!
A long time ago, dinosaurs roamed the earth. Shortly thereafter, e-mail was invented.
Okay, it wasn’t quite like that, but the internet standards we’re using for e-mail today are by and large the same ones that were put in place all those many years ago. They were developed in a simpler time, when there was no security or spam or reality TV. Those very lax rules make it very easy to just send mail as whoever you want from wherever you want, and systems kinda just trust you’re not doing something malicious.
Obviously, those days are long gone. We’re all getting tons of spam, and even more annoying, tons of bounce messages from spam that’s pretending to be us!
To combat this, a bunch of rules and procedures were developed to better ensure the “From:” in an e-mail was really who it said it was. This all involves SPF, DKIM, and DMARC. I’m not going to explain the lower level stuff about how these operate, so I’ll just say SPF and DKIM combine to ensure that mail came from where it claims, and that it’s authorized to do that, and DMARC tells the recipient what to do with it if it didn’t.
When Argonne sets a DMARC policy of “reject”, we’re saying to any mail server who listens to that sort of thing “If the mail claims to be from anl.gov and doesn’t pass these tests to show it’s from Argonne, reject it.”
It’s a sensible rule, and, thanks to some policy from above in the agency, it’s now a mandatory one. Soon every .gov will be doing the same thing (if they haven’t already).
As noted in the announcements from BIS, this will be going into effect soon. This will only affect mail that has a from: ending in “anl.gov” and won’t affect you receiving mail from others.
“But wait, Craig!” I can hear you shouting, “You told us there was a bonus story on mailing lists!” I sure did, children! So gather round and get ready for part 2.
Many places (.gov and otherwise) have already implemented the policy above. lanl.gov, for one, has been doing it for a while. And many people who have email addresses with this policy set are users of our mailing lists. The very mailing lists like the one I’m sending this to you on! And ever since we started the process of getting this all ready to roll, we’ve now become acutely aware of something thanks to error reports we get back from other email servers; mail’s been getting rejected already, and it has nothing to do with what we set our DMARC policy to.
Let me paint you a picture. Imagine I’ve got a big Bob Ross afro going on here – it’ll help.
john.doe@lanl.gov sends an email to bcfg-dev@mcs.anl.gov. It leaves LANL servers, comes here to MCS servers and the list happily sends it out to everyone on the list.
But, heavens to Murgatroyd, now we’ve got a problem. The mail claims to be from “john.doe@lanl.gov” but that’s not who’s delivering it. Nosiree, bob, that looks like it’s coming from Argonne! Now, unless LANL lists Argonne as an acceptable sender for mail coming from lanl.gov, there’s only one course of action; reject it.
Now, we may at some point be able to convince other fed sites to add Argonne servers to their list of acceptable delivery agents, but that’s just a part of the problem. There are schools, private e-mail providers, other governments, and myriad other sources where this mail can originate.
There’s only one real solution for this. Mailman (our mailing list software) provides a fix for this. It’s a fundamental shift on how mailing list mail will look, though. The fix is to change the “From:” of the mail so it no longer looks like it’s coming from “john.doe@lanl.gov” but is instead coming from “John Doe via bcfg-dev@mcs.anl.gov” with a Reply-to: of “john.doe@lanl.gov” set.
I’m going to repeat that on a line by itself for the skimmers.
Soon, mailing list From: addresses will be from the list, not the sender.
I’m still waffling on when to make this change. I wanted to announce it first and with luck have some healthy brainstorming for other solutions if people had ideas. But my research and understanding of how DMARC policies work, coupled with the fact that mailman puts a config option to deal with this very case, tells me it’s probably the best solution.
And, to be clear, all this will accomplish is ensuring that mailing lists run by CELS Systems won’t get rejected by remote sites due to the From: address mismatch. (BIS also plans to implement this change on some of its mailing lists as well). However, once BIS turns on “DMARC=reject”, and if you send mail to a mailing list that’s not run by us, it could get dropped if the recipient obeys DMARC policies. Spoiler alert: gmail is one of those that does.
So, there you go. I won’t turn this on for any lists without warning. Well, that’s a lie, I just turned it on for *this very list*, so can see what it looks like in the From line.
I’ve also turned it on in a new list I’ve created called “tech-discuss@cels.anl.gov” where we can have some back and forth about this. I thought about asking folks to bring it up in either “linux-users@mcs” or “mac-users@mcs”, but this isn’t a mac issue, and it’s not a linux issue. Oh, also, if you’re on one of those lists, I’ve invited you to subscribe to this list, too. Or just visit https://lists.cels.anl.gov/mailman/listinfo/tech-discuss and sign up there.
Cheers, and happy Friday!
—
Craig
Dispatches From The Geeks 
