DMARC

The IETF’s email system, which is used by IETF, IRTF, IAB and RFC-Editor email lists, uses the DMARC [RFC7489] security scheme to deter email forgery, which is often used by senders of spam.

DMARC specifies how email senders can publish policies about whether and how email that has their domain name on the “From” line will be authenticated. Authentication can be either via DKIM [RFC 6376], which adds a cryptographic signature to a message, or SPF [RFC 7408], which lists the IP addresses from which the email can be sent.

The receiver of an email message can then check whether a message has a valid DKIM signature, or is sent from one of the SPF listed IP addresses. If so, then the message is “aligned” with the published DMARC policy and can be processed normally. If the message is not aligned with the published DMARC policy, then the receiver of the email can handle it differently, for example by marking and filtering it as spam.

Unfortunately, DMARC does not take into account the effects of mailing lists. When a message passes through a mailing list, the list usually modifies the message in a way that invalidates any DKIM signatures. In addition, the list’s email comes from the list system rather than the original sender, so the IP is not in the SPF list of the original sender’s domain. Hence, messages sent via email lists become DMARC “unaligned”. This would make many recipient email systems, including all of the largest ones, reject email sent via mailing lists, or hide it in spam folders.

This problem affects every mailing list in the world, including the IETF’s. Different list systems use different approaches to address it. After some experiments, the IETF chose to use an approach that rewrites the sender’s address in a way that satisfies DMARC, but is still recognizable as the message’s author.

Imagine that an incoming message has this From header:

From: Jane Programmer <jane@example.org>

But example.org has a strict DMARC policy, so that message would likely not be delivered to recipients via a mailing list because, after being processed by the list, neither the DKIM signature nor the sending IP address match the original sender.

To address this, the IETF mailing system rewrites the “From” line in the message header to be:

From: Jane Programmer <jane=40example.org@dmarc.ietf.org>

The original address becomes the IETF email system mailbox, replacing “@” in the original message with “=40”. The sending domain becomes dmarc.ietf.org, and the message is signed with an ietf.org DKIM signature. These changes mean the message is DMARC aligned, so the recipient email system will deliver it.

Additionally, when mailing list subscribers reply to messages, they can reply to the author directly instead of, or in addition to, the list. For that reason, the IETF has an email forwarder that receives email to dmarc.ietf.org addresses, extracts the original address, and sends it to the original author. This allows list subscribers to reply to authors in the usual way, at the cost of a detour through the IETF’s mailing system.

About

Introduction to the IETF

Structure of the IETF

Legal requests

Key policies

Administration

Technologies

Meetings

Participation information

Organizing meetings

Process

RFCs

Standards process details

Participate

Tools and services

Participation guides

Support us

Ways to give

Supporting values

DMARC