Home / Blogs

DMARC and Message Wrapping

By John Levine Author, Consultant & Speaker

I have groused at length about the damage that anti-phishing technique DMARC does to e-mail discussion lists. For at least two years list managers and list software developers have been trying to figure out what to do about it. The group that brought us DMARC is working on an un-DMARC-ing scheme called ARC, which will likely help somewhat, but ARC isn’t ready yet, and due to ARC’s complexity, it’s likely that there will be many medium or small mail systems that enforce DMARC and can’t or won’t use ARC.

The Internet Engineering Task Force, which writes technical standards for the Internet, works primarily through discussion lists, and the pain from DMARC has gotten to the point where we may do something about it. So we’ve been doing some experiments.

The DMARC problem is that mail sent through discussion lists is generally modified on the way through, most often with subject line tags or message footers, the modifications invalidate DKIM message signatures, and the invalid signature makes DMARC misidentify the list mail as phishes.

There are a lot of DMARC workarounds (summarized here,) all of which do some damage to the mail, but they damage the mail in different ways. Currently the most popular is to rewrite the From: line and replace the message author’s address by the list’s address. This satisfies DMARC since it keys on the From: line address, but it messes up lists since it makes it hard to tell who actually wrote a message, and even harder to send a private reply to the author.

Another less used option is to wrap the messages in outer messages as attachments. The outer message is created by the list software so it has no DMARC problems. The attached message is the original message, modified however the list software modified it, but since it’s an attachment, DMARC doesn’t care about it. List that send daily digests typically wrap messages in the same way, so you can think of this trick as turning every message into a one-message digest.

The good thing about message wrapping is that the wrapped message is exactly the one the list would have sent without DMARC. The bad thing is that user mail programs tend not to display wrapped messages very well. In the worse cases, the mail program doesn’t know how to display the message/rfc822 MIME part containing the wrapped message and just shows a box or a download link. Sometimes it shows the message, but doesn’t show the wrapped message’s headers so you can’t see the From: or Subject: to see who sent it or what it’s about. Often if you can see the From:, you can’t click on it, so there’s no way to send a response to the author other than manually cutting and pasting the address into a new message. Or if there’s a Reply-To header, sometimes the mail program follows it, sometimes not. (We get the impression that displaying wrapped messages has never been a priority among mail program developers.)

To find out how wrapped messages work in various mail programs, I’ve written a little message wrapping ‘bot. You send a message to the bot, it wraps it a couple of ways and sends it back. The bot’s addresses are:

  • wrap@dmarc.fail Send back wrapped versions with the message as the outer message’s only MIME part.
  • wrapm@dmarc.fail Send back wrapped versions with two parts, a text introduction, and the original message.
  • wrapr@dmarc.fail Same as wrap, but add a Reply-To: header to the outer messages with the sender’s address.
  • wrapmr@dmarc.fail Same as wrapm, but add a Reply-To: header to the outer messages with the sender’s address.

Each message is returned twice, once where the outer message has a normal looking From: line with a throwaway return address, and one with an empty group address. If you only get one copy back, look in your spam folder for the group address, or on some systems, it just disappears since they (erroneously) reject the group address as bad syntax.

Don’t send anything secret, since I keep copies of all the mail. The ‘bot is heavily rate limited to deter abuse and accidental or deliberate mail loops.

We’ve checked all of the major webmail providers and some popular desktop mail programs like Apple Mail and Thunderbird, but reports on other mail programs, particularly on tablets and phones, would be useful. How legible are the messages? How hard is it to reply to the list address (in this case, wrap@dmarc.fail or whatever) or to the author (you)?

By John Levine, Author, Consultant & Speaker

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

View All Topics