[dmarc-discuss] How does *this* mailing list interact with dmarc?
zwicky at yahoo-inc.com
Wed Jun 20 11:31:23 PDT 2012
(yahoo.com is where the customers are; we don't send transactional mail from it.)
Yes, the fact that domains containing people behaving like random humans cannot use quarantine or reject is an issue. So are cousin domains, MUAs that don't display the entire From: address, and fraudulent mail originated from free email boxes, to name only problems DMARC doesn't solve that are very very closely related to problems it does solve.
Of these problems, domains-containing-humans is one of the ones most susceptible to procedural fixes, although they are painful ones. They involve strictly separating humans from transactional mail and setting up MUAs so they put up cute little "verified" icons only on transactional mail. Organizations vary a lot on how close they are to these goals.
On Jun 20, 2012, at 10:50 AM, Al Iverson wrote:
> On Wed, Jun 20, 2012 at 12:29 PM, Elizabeth Zwicky <zwicky at yahoo-inc.com> wrote:
>> Don't use quarantine or reject policies on domains that contain real users; use them on transactional domains.
>> Mailing lists and forwarding are both heavily used by real people and will break DMARC.
> That potentially leaves a hole in an anti-phishing/protection
> strategy, though, doesn't it?
> If you put a DMARC policy on yahoo.com but not on yahoo-inc.com, it
> feels like that the bad guys will just phish with the latter domain
> instead of the former, leaving a protection gap. I'd love to hear your
> take on why this is or isn't a concern and how people ought to handle
> this potential case.
> Al Iverson
> dmarc-discuss mailing list
> dmarc-discuss at dmarc.org
> NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
More information about the dmarc-discuss