On Sun, Mar 02, 2025 at 11:17:35PM +0100, Florian Weimer wrote:
Many mailing lists have moved away from Subject:/body rewriting because it breaks DKIM signatures and may prevent successful message delivery to recipients whose servers enforce the sender's DMARC policy. The alternative is to rewrite the From: line, at least for senders with restrictive DMARC policies, but this breaks other things.
And this is one of the great ironies of the entire DKIM/DMARC push: it breaks things that were working just fine for decades while (a) providing no anti-spam value [1] and (b) making the email forgery problem *much* worse [2]. ---rsk [1] I've been monitoring deployment over all email traffic to several dozen domains scattered across a number of servers scattered across a number of networks. And amusingly (or not), significantly more spam is correctly signed than non-spam. This should surprise nobody; it's been a repeated pattern with multiple technologies that were claimed to deal with spam effectively and have instead either had no real impact or made the problem worse. [2] The convergence of multiple bad choices is in play here. First, the proliferation of new TLDs that have been rapidly overrun by abusers of all descriptions. Second, dubious choices in email user interfaces that obfuscate sender addresses. Third, equally dubious choices in email UIs that mark messages that pass validation as "signed" or "secure" or "certified" or whatnot. Fourth, the increasing inability of users to understand email address RHS, e.g., to distinguish example.com from example.tld or example.com.tld or exammple.com or exammple.tld. Fifth, many example.com's of the world don't send plaintext email messages; they mark them up with HTML and graphics and so on, which means that they're teaching their users that any message which *looks like* it's from them is really from them. Sixth, they also include URLs and encourage their users to use those URLs. Seventh, as everyone here is painfully aware, there are all kinds of hosting/cloud operations that will happily take example.tld's money even though they know full well they're not the real example.com and know equally full well what they're really doing. The result of all this is that users are being trained to fall for forgeries, and there is ample supporting infrastructure to make those forgeries effective. Yeah, abusers will have a hard time successfully forging messages from example.com and getting them delivered: *but they don't have to* because example.tld (for ~1000 values of "tld") is available. And of course example.tld can recreate the language and appearance of messages from the real example.com at will, and can mimic the web site, which means that users will be presented messages that look like, feel like, smell like they're from example.com, are dutifully marked as "authentic" or whatever in their email client...and are all fakes that lead them to a fake web site.