- DMARC protection feature was introduced on Sympa 6.1.22 and 6.2
DMARC stands for “Domain-based Message Authentication, Reporting & Conformance”. It is spam & phishing protection setup by big mail providers such as yahoo or hotmail.
This is a quick update for now. If you want to learn more about DMARC and what awful things its rough application did to mailing lists manager, please read Related posts below.
ARC is intended to fix the problems introduced by DMARC by adding signature “seals” that show the chain of servers that processed a message. It is implemented along witn DKIM. Once ARC is more widely implemented, DMARC workarounds shouldn’t be needed.
To make a long story short: yahoo, then aol and probably others set the “
p=reject” tag in their DMARC DNS record. This means: reject anything that doesn’t match my security policies. OK. But Sympa and most mailing lists managers would break this policy, simply by changing the mail subject or the
yahoo requires DKIM valid - yahoo domain-signed - signature for any mails from its domain
Sympa would break this signature by changing the
Subject- which are parts of the yahoo signature
The messages to yahoo would bounce “for policy reason” but worse: messages sent to receipients whose domain applies yahoo DMARC policy would also bounce. Examples of such domains are gmail, hotmail, etc.
To fix it:
Install Net-DNS Perl module, if it have not been installed.
dmarc_protection_modeto the value you wish. For a quick correction on the most restrictive DMARc records, just add the following line to your sympa.conf:
This will have the following effect: mails from domains whose pollicy is to reject any mail not respecting its DMARC policy will be processed this way:
their DKIM and DomainKey signatures will be removed
From:field will be changed to a value you will set in the
dmarc_protection_other_emailparameter. You can define a value for this email or leave it blank. If so, the list email address will be set instead of the original sender address.
previous value of the
From:header field is saved in an
X-Original-From:header field for later inspection
previous value of the DKIM signature is saved in
X-Original-DKIM-Signature:field for later inspection.
You can get further customization of how to deal with DMARC by using the different Sympa dmarc_protection* parameters.
You can all thank Steve Shipway for his deep understanding of the problem and the patch he provided to solve the issue.