[dmarc-discuss] Discussion mailing lists - a reality check

Jim Popovitch jimpop at gmail.com
Sat Jun 23 22:11:33 PDT 2012


On Sun, Jun 24, 2012 at 12:43 AM, John Levine <johnl at taugh.com> wrote:
>>I think you are forgetting Reputation.  It doesn't take a phished
>>account.  All it takes is  legitimate emails, from a legitimate
>>company (with a not well thought-out DMARC record) to be sent through
>>a mailinglist.  Everyone who checks DMARC then sees the list as
>>sending From: the company... and bam...
>
> If I may repeat myself, why are you assuming that mail system managers
> are both incompetent and deaf?

Because I'm pretty sure that somewhere on the Internet there is a
post, by you, that states some percentage are exactly that.

> If they turn on DMARC and find that they botched it and are getting
> users complaints about lost real mail

I don't think you understand how it works.  The employee's email is
delivered successfully to the list, not bounced.  The employee's email
is reflected by the list to all the list members.  The list
subscriber's mail admin may then check DMARC and move the original
employee's email into Bulk/Spam/Trash... complaints will go from the
affected list subscribers to the list moderators/admins.   Meanwhile
the incompetent and deaf mail system managers (9 to 5 folks who never
check postmaster@ emails) probably have no rua or ruf setting (who
really wants to be bothered?)... so they never know they did anything
wrong.   Eventually the list subscribers ISPs start reducing the
reputation of the list host due to the repetitive DMARC violations
appear from their netblock.

> , do you really think that they need a kludge from us to fix it?

I don't think they care about us.   You obviously haven't spent enough
time with mail administrators outside of DKIM/DMARC/SPF (i.e. major
IETF clued-in circles)

> If the situation is that bad, why  haven't SPF -all and ADSP made mailing lists
> unusable?

SPF isn't bound to RFC5321.From... and the problems revealed by SPF
-all made most folks move to SPF ~  (I'm pretty sure there's an email
out there, by you, that mentions that)

>
>>Don't forget, DMARC (less than a 6 months ago) was heavily marketed as
>>the end-all-be-all to phishing (some reports even said SPAM!)
>
> So were SPF, DKIM, HELO rDNS checks, and a long list of other things
> we've all forgotten.  So what?

None of those introduced failures, nor delivery problems, that weren't
apparent to the originator or the originating system.  None of those
introduced reputation and/or delivery problems for 3rd party delivery
agents (mailinglists, forwarders).

-Jim P.



More information about the dmarc-discuss mailing list