Dmitri Maziuk writes: > On 3/12/24 11:40, Julian H. Stacey wrote: > > > I'm interested what independent mailman-users@ think on technical > > issues of DKIM/SPF,
Disclaimer: I'm not an independent user. I am a Mailman developer, a participant in the development of some of the most recent authentication protocols, and a paid or pro bono consultant on Mailman to three organizations without which the Internet as we know it would not exist (in some exaggerated sense, but it's true ;-). > It's only stopping the small mom-and-pop spammers. DKIM and SPF are not about stopping spam. They can't be, all they are is authentication of sending hosts. Most sending hosts are multiuser, so stopping spam has to be done by filtering by recipients. What these protocols do is provide a way to enable trusted senders to reliably get their mail through. As we see from the OP in this thread, that's aspirational, you can do everything according to the stated rules and still get blacklisted, but that's what conforming to protocols can do in theory (and often in practice). And in fact the default is to trust (at least to the extent that the recipient reads your mail to decide based on content whether it's spam instead of slamming the door on MAIL FROM). > And mailman users. Wrong. It's *enabling* Mailman users. If you're using email to communicate with people who would NOT be using email if it weren't for Minitel, AOL, Gmail, and Outlook365[1], grow up: you have to take the bad with the good. As long as there are legitimate mom-and-pop shops that don't participate in authentication protocols, the spammers can infiltrate those mail flows because those legit sources are indistinguishable from spammers "warming an IP", as big "ethical spammers" like SalesForce call it. If you're not participating in these protocols, you're helping to enable spam.[2] I'm not saying there aren't (more or less) legitimate reasons for not participating, at least locally. For example, the host that I use to communicate with students doesn't. I did use the university outgoing gateway at first, but I had to go to direct mail because they kept marking my terse homework submission acknowledgement emails as spam, I think it was mistaking the submission's Message-ID and other non- verbal data for URLs and profiling codes. Of course if you go up a level that's on the university (for one thing, they refused to add SPF and DKIM records for my subdomain).[3] But most of the time we can do it without great cost. Sure, it's an annoyance, and it's tricky to get set up correctly. But once you have your SPF, DKIM, and DMARC records set up, and your certificates lined up, there's very little maintenance. The university won't give me a certificate for my website for some reason, but so what, LetsEncrypt will, and I don't need a cert that's trusted by people who don't know me. (I used self-signed for a while but LetsEncrypt is even easier.) Right now I'm doing a 2->3 migration for a medium-size organization that's leaving a coloc host for the cloud, and so they have to give up their IPs. Guess what? SPF and DKIM means their reputation is going to be quite portable to the new IPs. Of course reputation at that level is really only meaningful for recipients at -- you won't believe this -- those big "oppressive" providers like Google and Microsoft who can afford massive ML systems to maintain site profiles. That's not a benefit you get everyday, but in this situation it's big. I get the feeling that "I'm not a spammer, why do I have to pay this cost?" too. But that's part of being an adult -- you sometimes have to clean up others' messes. The SPF-DKIM-DMARC-ARC dance is just not a very high cost to pay for the vast majority of us, and it's not even all that expensive to buy in the market (but I'm gonna be damned if I don't do my own and you probably feel that way too :-). And it's not just Google and Microsoft that benefit. We do too. If you want to complain about the big freemail and corporate providers, there are *plenty* of valid complaints. Complete lack of transparency, unresponsive service, failure to follow published rules, imposing high error rates on non-customers and then blaming lost mail on the sender, etc, etc. But asking us to do the minimum to authenticate if we want them to extend trust when our content triggers a false positive isn't one of them.[4] Steve Footnotes: [1] And you are -- the complaint was that Google forces you, but that's wrong -- the Gmail users on your lists are the assholes for using Gmail, OK? [2] And at scale: at one point in early 2014 Yahoo was receiving sustained flows of spam over 1 million per minute, according to a Yahoo admin I personally trust because she gave me a kitten once. :-) She reported that that campaign didn't even try once Yahoo put a p=reject DMARC policy in place. [3] I do have some sympathy for the postmasters because "it's always September on the Internet." [4] And that's why my sympathy gets exhausted quickly. "The call is coming from inside the house", I am not anonymous to the university. ------------------------------------------------------ Mailman-Users mailing list -- mailman-users@python.org To unsubscribe send an email to mailman-users-le...@python.org https://mail.python.org/mailman3/lists/mailman-users.python.org/ Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: https://www.mail-archive.com/mailman-users@python.org/ https://mail.python.org/archives/list/mailman-users@python.org/ Member address: arch...@mail-archive.com