[dmarc-discuss] Discussion mailing lists - a reality check

Jim Popovitch jimpop at gmail.com
Sat Jun 23 19:16:26 PDT 2012


On Sat, Jun 23, 2012 at 9:21 PM, John R Levine <johnl at taugh.com> wrote:
> How many people here actually run discussion list servers?  I run one with
> about a hundred lists.  I know Dave Crocker has one at mipassoc.org. Does
> anyone else?

I run some. You and Dave are both subscribers of one of the lists.

> I know from direct experience that discussion lists don't have delivery
> problems.

Ha!  (another good laugh!)  Seriously, every discussion list has had
some history of problems.  There are *always* delivery problems....
lack of DKIM, lack of SPF, lack of unsub headers, lack of
participation in a FBL, lack of visiting live.com/hotmail.com and
registering your IPs, etc.   Sure, today we might know everything that
needs to be dotted and crossed to deliver email... but tomorrow?  The
next guy/gal that comes along has to learn it all from scratch, rinse,
repeat.  It's *never* easy.

> They do not need DMARC's help.  The worst thing that happens is
> that one gets spammed from a subscriber's phished account (something DMARC
> can't fix), there's a flurry of complaints, and that's it.

I think you are forgetting Reputation.  It doesn't take a phished
account.  All it takes is  legitimate emails, from a legitimate
company (with a not well thought-out DMARC record) to be sent through
a mailinglist.  Everyone who checks DMARC then sees the list as
sending From: the company... and bam... there begins the reputation
hit (one of many "flurry of complaints") against the mailinglist /
.forward'ing institution.  Sure, there might be some leeway and
forgiveness today... but who will provide the leeway and forgiveness
tomorrow when the next ISP postmaster team is sacked and all the
familiar faces have changed?

Don't forget, DMARC (less than a 6 months ago) was heavily marketed as
the end-all-be-all to phishing (some reports even said SPAM!) emails.
I'm sure there are some CEO subscribers ready to mandate DMARC and
layoff 1/2 their inbound policy teams...   DMARC oversold itself,
intentionally or not.  You can bet there are plenty of businesses and
governmental offices that will throw up DMARC records asap without
knowing a thing about only doing it for a specific set of
transacational emails (btw, recall that mailinglists themselves do
have some transactional emails, i.e. password reminders, subscription
verification).   If you are really serious about limiting DMARC
rollout, put it up in big red letters on dmarc.org, otherwise don't
get in the way of people who are identifying problems and discussing
solutions.

The cats out of the bag and I suspect a lot of participants here are
seriously interested in knowing how DMARC can hurt their IPs'
reputation.

-Jim P.



More information about the dmarc-discuss mailing list