[dmarc-discuss] FYA: Class action administrators send out millions of emails that violate DMARC and are rejected

Jonathan Kamens jik at kamens.us
Sat Aug 3 04:31:54 PDT 2019

I though y'all might find this amusing.

The class action administrators of the lawsuit against Experian for the 
breach of 15 million T-Mobile customers' data revealed in 2015 just sent 
out emails to the millions of class members notifying them about how to 
collect their benefits under the lawsuit settlement.

The domain the emails came from has a p=reject pct=100 DMARC policy, and 
the emails failed DMARC checks, since neither SPF nor DKIM was aligned: 
the From: line of the emails said "@classact.com", while both the DKIM 
signature and envelope sender domain said "bluehornet.com".

This means that most of the victims sent these emails will never see them.

It gets better. When I attempted to email the lawyers from the lawsuit 
to notify them about the problem and ask them to fix it, my email was 
bounced for two of the recipients, because the email list for the 
lawyers is hosted on outlook.com and it modified my message and broke 
the DKIM signature before forwarding it on to those two recipients.


You can read more details on my blog 
if you're curious.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20190803/a6a838b0/attachment.html>

More information about the dmarc-discuss mailing list