[dmarc-discuss] How does *this* mailing list interact with dmarc?

Franck Martin fmartin at linkedin.com
Wed Jun 20 11:50:44 PDT 2012


It is notorious that people having a .edu email address use a lot forwarding, and that systems break DKIM in the process...

http://www.it.cornell.edu/services/cmail/howto/spoof.cfm

________________________________________
From: dmarc-discuss-bounces at blackops.org [dmarc-discuss-bounces at blackops.org] on behalf of Derek Diget [derek.diget+dmarc-discuss at wmich.edu]
Sent: Wednesday, June 20, 2012 11:38 AM
To: dmarc-discuss at dmarc.org
Subject: Re: [dmarc-discuss] How does *this* mailing list interact      with    dmarc?

On Jun 20, 2012 at 12:50 -0500, Al Iverson wrote:
=>On Wed, Jun 20, 2012 at 12:29 PM, Elizabeth Zwicky <zwicky at yahoo-inc.com> wrote:
=>>
=>> Don't use quarantine or reject policies on domains that contain real
=>>users; use them on transactional domains.  Mailing lists and
=>>forwarding  are both heavily used by real people and will break
=>>DMARC.
=>
=>That potentially leaves a hole in an anti-phishing/protection
=>strategy, though, doesn't it? If you put a DMARC policy on yahoo.com
=>but not on yahoo-inc.com, it feels like that the bad guys will just
=>phish with the latter domain instead of the former, leaving a
=>protection gap. I'd love to hear your take on why this is or isn't a
=>concern and how people ought to handle this potential case.

...decloaking.....

I have been asking that question to myself as I have tried to follow
SPF, DKIM, ADSP, and DMARC over the years.  We have spent 10+ years
bringing all of our mail flow traffic back under one domain[1] and one
set of systems for in-bound and out-bound (real users - local-net and
road warriors, transactional, mailing lists).

I have not been able to get the layer 9 issues resolved for us to
publish a DMARC record to get reports.  (I have for my home domains and
really surprised on where those domains are being used even though
they have had a SPF -all record for years.)

It seems to protect our domain[2], we need to go back and start using
sub-domains[2] and the problems that they bring IMO.  This might make
DMARC a non-starter for us.



Note 1: We blocked in-bound port 25 in the mid-90s to all except a
half-dozen or so system in our /16.  Out-bound port 25 was early-00
except for a dozen or so systems.  We had probably twenty domains for
mail when we started to phase out departmental mail stores.


Note 2: .edu's are only allowed one .edu domain so we have to use
sub-domains.  We can't do the yahoo.com/yahoo-inc.com.  I also believe
using similar domains just cause more problems for domain protection.


--
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************



More information about the dmarc-discuss mailing list