[dmarc-discuss] How does *this* mailing list interact with dmarc?

Murray Kucherawy msk at fb.com
Sat Jun 23 23:11:12 PDT 2012

On 6/23/12 11:07 AM, "Steven Chamberlain" <steven at pyro.eu.org> wrote:

>On 23/06/12 18:24, John Levine wrote:
>> It would lead to an endless game of whack-a-mole, as
>> spammers use and discard throwaway domains they already have.
>That would be costly for them surely?

If I own example.org, I can create arbitrary subdomains under it, and sign
with them, at no cost to me.

>They would also have to keep nameservers operational to serve DKIM keys
>for their spam to verify against, and their IPs would also become known.

A botnet solves the IP problem, and there are plenty of registrars (see
recent news feeds) that are slow, inept, or disinterested in terms of
taking down the domains of bad actors.

>DMARC reports would also identify (and confirm with DKIM) the domain
>used by the phisher/spammer and that provides evidence to assist with
>its takedown.

Indeed, there are some large organizations that do intend to make that
sort of investment once bad actors can be positively identified.

>Whitelist it based on what, how could you check that it genuinely came
>from that listserver?  Oh yeah, it's MailFrom address and DKIM and/or
>SPF like I said...

DKIM is one way, yes.  But there's still an alignment problem at the DMARC

The reason DMARC focused on the From: field is because it's the one most
commonly shown to users.  That's a big part of what makes phishing
effective.  Switching to the return path or the Sender field or some other
identifier that users don't see is a cheap way to get a DMARC "pass"
without having to change what the user sees.

>Mailing lists that still don't do these things would result in their
>users receiving DMARC failure reports, they can take it up with
>listmasters, and eventually get us to the position where list mail is
>verifiable, whitelisting them is safe, and DMARC failures can be more
>heavily enforced.

Still, the question remains: Why is trying to ensure list traffic passes
DMARC something that should be in scope?  Do big brands actually get
phished via mailing lists?



More information about the dmarc-discuss mailing list