Yahoo DMARC breakage

Wed Apr 9 21:33:08 UTC 2014

On Wed, 9 Apr 2014, Valdis.Kletnieks at vt.edu wrote:

> On Wed, 09 Apr 2014 17:15:59 -0400, William Herrin said:
>
>> Meh. This just means list software will have to rewrite the From
>> header to "From: John Levine <nanog at nanog.org>" and rely on the
>> Reply-To header for anybody who wants to send a message back to the
>> originator.
>>
>> Maybe this is a good thing - we can stop getting all the "sorry I'm
>> out of the office" emails when posting to a list.
>
> The sort of programmer that writes out-of-mind software that doesn't
> employ the long well-known heuristics for detecting mailing lists
> (starting with checking Return-Path: for "owner-" and similar) will also
> likely disregard the Reply-To: header.  This Is Not A Good Thing.
>

According to the DMARC FAQ at http://dmarc.org/faq.html

Q:  I operate a mailing list and I want to interoperate with DMARC, what
should I do?

DMARC introduces the concept of aligned identifiers. It means the domain
in the from header must match the d= in the DKIM signature and the domain
in the mail from envelope.

1: operate as a strict forwarder, where the message is not changed and
the validity of the DKIM signature is preserved

2: introduce an "Original Authentication Results" header to indicate
you have performed the authentication and you are validating it

3: take ownership of the email, by removing the DKIM signature and
putting your own as well as changing the from header in the email to
contain an email address within your mailing list domain.

Option 1 is out of the question.  Option 3 is what a lot of people are
starting to do.  Can anybody tell me what exactly option 2 is.

What exactly is an "Original Authentication Results" header?

I'm already doing my own research but if someone can give a concise answer
as to what it is that would be appreciated.

Ted Hatfield