[dmarc-discuss] How does *this* mailing list interact with dmarc?

Steven Chamberlain steven at pyro.eu.org
Fri Jun 22 13:28:48 PDT 2012


On 22/06/12 21:02, John Levine wrote:
> Surely you're kidding.  That would make DMARC totally useless, since
> crooks could trivially bypass it by using throwaway bounce address
> domains with SPF that always validates.

Being forced to publish a p=none policy because you have real users on
your domain would already 'make it useless' in that sense, for many.

I thought that if the sender could be given individual controls to relax
the DKIM and/or the SPF alignment requirement, they may be able to still
use p=reject, and being some kind of improvement over p=none.

Having to tie the forgery to a domain which must also validate the mail
with SPF (I suppose too easy?) or DKIM (wouldn't this be difficult?), is
an extra hurdle to the forger and gives an extra data point for other
scanning heuristics and in reports.


> For the umpteenth time, we already know how to handle mailing list
> mail, recognize the lists and whitelist them.  This isn't a problem
> that needs to be solved.

That would seem viable if everyone who might enforce DMARC validation of
incoming mail could be expected to recognise and whitelist every mailing
list...

And surely you'd want to be able to validate the list's RFC5321.MailFrom
if doing whitelisting, so having this mechnism as part of DMARC and in
its reporting would be helpful.


As it stands I think many sending domains would have to weaken their
policy to p=none, and/or all receiving domains have to weaken their
DMARC verification (whereby it affects everyone else), so I think it
does need to be solved.

Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org


More information about the dmarc-discuss mailing list