It gets worse.
Combine authentication-failure reports, VERP, mailing-lists and what appears to be a buggy verifier.
VERP is Variable Envelope Return Path, a name for a technique where a mailing-list encodes information about the recipient's email address into the SMTP Envelope Sender. This is used so that if there is a delivery problem, the "bounce" which comes back will, for any not-massively-broken mail-system generating the bounce, identify the subscriber to the list who had problems. This way, the list can automatically disable delivery as needed, etc.
I sent mail today to a mailing-list; the list did not adjust the content of the message in a way that affected DKIM verification: the copy I received back passed DKIM verification. The list uses VERP. I sign with DKIM and have a DMARC policy published in DNS.
As a result, 163.com have let me know the exact email address for one of their users who is subscribed to the mailing-list.
The message sent was “multipart/report”, which is reasonable and expected. The first part was the human-targetted blurb:
This is a spf/dkim authentication-failure report for an email message received from IP 188.8.131.52 on Wed, 18 Jul 2012 07:58:45
Below is some detail information about this message:
1. SPF-authenticated Identifiers: none;
2. DKIM-authenticated Identifiers: none;
3. DMARC Mechanism Check Result: Identifier non-aligned, DMARC mechanism check failures;
The second part was of type “message/feedback-report” and here is the censored content:
Arrival-Date: Wed, 18 Jul 2012 07:58:45 +0800
Authentication-Results: 163.com; spf=none smtp.mailfrom=LISTNAME-return-17180-RECIPLHS=163.com@LISTDOMAIN
So, I receive back a copy of the message because I'm subscribed, it passes validation. Somewhere between the list hosting in the USA and the recipient's email provider in China, something happened to the message which caused DKIM validation to fail; the mailing-list was in the envelope sender, etc etc, but the DMARC policy for the email address used in the From: header resulted in the DMARC notification recipient for my domain spodhuis.org finding out about a recipient of the mailing-list.
For lists with open subscription, this isn't a major hole. For lists with closed subscriber lists, it is a troubling disclosure.
I think, but am not certain, that the problem in this case is a faulty email verifier at 163.com rather than a problem with the DMARC specification itself.
-The Grumpy Troll