[dmarc-discuss] How does *this* mailing list interact with dmarc?

Derek Diget derek.diget+dmarc-discuss at wmich.edu
Wed Jun 20 11:38:27 PDT 2012


On Jun 20, 2012 at 12:50 -0500, Al Iverson wrote:
=>On Wed, Jun 20, 2012 at 12:29 PM, Elizabeth Zwicky <zwicky at yahoo-inc.com> wrote:
=>>
=>> Don't use quarantine or reject policies on domains that contain real 
=>>users; use them on transactional domains.  Mailing lists and 
=>>forwarding  are both heavily used by real people and will break 
=>>DMARC.
=>
=>That potentially leaves a hole in an anti-phishing/protection 
=>strategy, though, doesn't it? If you put a DMARC policy on yahoo.com 
=>but not on yahoo-inc.com, it feels like that the bad guys will just 
=>phish with the latter domain instead of the former, leaving a 
=>protection gap. I'd love to hear your take on why this is or isn't a 
=>concern and how people ought to handle this potential case.

...decloaking.....

I have been asking that question to myself as I have tried to follow 
SPF, DKIM, ADSP, and DMARC over the years.  We have spent 10+ years 
bringing all of our mail flow traffic back under one domain[1] and one 
set of systems for in-bound and out-bound (real users - local-net and 
road warriors, transactional, mailing lists).

I have not been able to get the layer 9 issues resolved for us to 
publish a DMARC record to get reports.  (I have for my home domains and 
really surprised on where those domains are being used even though 
they have had a SPF -all record for years.)

It seems to protect our domain[2], we need to go back and start using 
sub-domains[2] and the problems that they bring IMO.  This might make 
DMARC a non-starter for us.



Note 1: We blocked in-bound port 25 in the mid-90s to all except a 
half-dozen or so system in our /16.  Out-bound port 25 was early-00 
except for a dozen or so systems.  We had probably twenty domains for 
mail when we started to phase out departmental mail stores.


Note 2: .edu's are only allowed one .edu domain so we have to use 
sub-domains.  We can't do the yahoo.com/yahoo-inc.com.  I also believe 
using similar domains just cause more problems for domain protection.


-- 
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************


More information about the dmarc-discuss mailing list