Want more like this?

DMARC Secured Your Email Identity, But See How it Ruined Mailing Lists

Why people aren't posting on your mailing list

Just 10 lines of python 3 code show email's biggest problem:

from email.mime.text import MIMEText

msg = MIMEText('Just wanted to show you')
msg['Subject'] = 'Victim - let me show you iPhone 8'
msg['From'] = 'Tim Cook Apple CEO <>'
msg['To'] = ''
with smtplib.SMTP_SSL(host='') as smtp:
    smtp.login('', 'password')

Email was originally designed for messages to be stores and forwarded multiple times before they got the their destination. Servers would just have to trust that the From header was correct. For many years, there was no real way to verify that you really got the email the person that the From header states.

Tim Cook looks confused

What would you say if somebody faked your email?

Somebody fixed it, right?

In 2005, some smart people came up with SPF (sender policy framework). It is a special TXT record that you put on your domain. When the mail mail server for gets a message from Tim Cook, it will look up the SPF record for, and check if the SPF record allows that server to send messages for that domain.

But what if the server is not authorized? That's entirely up to the mail server - but usually it is just used as a spam signal. So your fake messages get delivered, and if you are lucky they don't even get marked as spam.

It wouldn't be the internet without competing specs. In 2004 DKIM, or domain key identified mail, started development. It works very simply on a conceptual level; you generate a public/private key pair on your server, and put the public key in a special TXT record. Then for every mail you send, you use your private key to generate a signature which you include in the message. The receiving server can choose to validate this signature. But what do they do if the validation fails? Maybe use it as a spam signal?

So we have 2 competing specs for validating the emails. They both have a carrot, but no stick.

Enter DMARC - another system built on top of DKIM & SPF. DMARC is again another TXT record you add to your domain. But it tells to the receiving mail server what to do with the SPF and DKIM information. The 3 options are to do nothing, quarantine the failing messages or reject failing messages. Receiving servers will also generate statistics about what mail passed and failed. Finally, this is something that gives the "stick" to SPF and DKIM.

This is great right?

So this sounds great overall for the email ecosystem. Nobody will get spam messages from pretending to be Tim Cook. Or so I though. Take a look at the deployment status of some big domains:

  • Reject failing messages -,,,,,,,,` - very good and secure
  • Quarantine failing messages -,,,
  • Do nothing -,,, - these have no security

So I can still fake being Tim Cook, or maybe even from GitHub.

Grim Repo OctoCat

Security check from github... just click

Why would you not use DMARC?

Some companies might be using legacy software to send emails, such as old web apps, bad email marketing services, etc. That seems quite intuitive - these are things you use to send email, therefore they need to use DKIM/SPF.

But many programmers still use emails without DMARC, even on there personal domains. This is beacuse it means you can't post on mailing lists. All those LKML flame wars you can't join because of DKIM; what a catastrophe.

And the reason is simple. Mailing lists change messages. Some add footers with an unsubscribe button. Others add a list name to the subject line. Some change the reply-to address. Overall, changing the email message means that the DKIM signature is broken. If you use DMARC in reject mode, that means the message won't get delivered, due to the broken signature.

Additionally, since DMARC enforces SPF, the mailing list server can't send mails on your behalf. Only your email server can do that.

So this means that mailing lists need to change. Google employees can't post on LKML, because of DKIM. Maybe some users of old mailman installations need to look at a upgrade:

Mailman 2

Upgrade the system please... and the CSS too!

Good news is that there is a solution, but it breaks from tradition. Mailing lists need to change the From address from the original sender to one that they control. Then it is all good - they can continue to rewrite the subject lines and the footers as much as they want. They can just resign the message - since it is their From address and their DKIM key.

Google Groups is doing it already for senders who have the "reject" DMARC policy. Modern mailing list replacement software like Discourse do it correctly too. Even good old Mailman can be configured correctly. Now is the time to care!

Get More Great Content

The intersection of marketing, design and machine learning, delivered straight to your inbox:
Awesome! Please check your inbox and confirm your email.
We'll email you our latest posts plus special past content. Change your settings any time.

Magic Name

Find the name of every subscriber -- without asking

Begin Favicon Project

Taking the Sunday hack too seriously

Exposing properties with Graphene Django

The other missing guide

Arithmetic with JavaScript Arrays

A Astonishing Adventure

Freeing Disk Space with the PackageKit cache

Automatic updates gone wrong

Keeping Python projects secure on GitLab

Pinning projects to the very latest

Testing GraphQL with Graphene Django

The missing guide

Local Politicians Meet InfoSec - a Wordpress Disaster

The article that I didn't want to have to write

PGP for Every Email

Join us in our PGP journey

SELinux Concepts - but for humans

This is your SELinux dictionary!

A new way of writing Gtk+ applications

Introducing Pyract - my weekend hack

Stop Disabling SELinux: A Real-World guide

Be safe from software vulnerabilities AND run your webserver

Plotinus and the quest for searchable menus

The underdog challenges a 30 year old UI convention

How they track you: Email Service Provider Edition

A summary of how major email marketers track their emails

Blender for Hackers - 3D modeling is just like using VIM

A very brief introduction to Blender

Edge of the World - What Open-World Games Can Teach Us About Design

Spoiler: It's all about the illusions

When fictional worlds are an accurate representations of IoT security

Ok, a little dramatized. But still truthful.

How I Destroyed my Blog's Performance with CSS Background-Blend-Modes

Just because a browser has a feature doesn't mean you should use it

Help Us Answer: The Email Signup Popup - where is it from?

Who is behind the latest wave of popups?

My WATCH runs GNU/Linux And It Is Amazing

Lennart Poettering would love it!

6 Stunning Email SignUp Form Designs with Free HTML

I've spent way to much time on dribbble researching these!
G'day Mate, join us on IRC for good banter:
#Learnt on Freenode
See you there!