Package: lists.debian.org Severity: important Background on DMARC: https://wordtothewise.com/2014/04/brief-dmarc-primer/
Official statements from Yahoo and AOL about their DMARC policy changes: http://yahoo.tumblr.com/post/82426971544/an-update-on-our-dmarc-policy-to-protect-our-users http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/ Background on damage inflicted on mailing lists by inappropriate uses of a DMARC p=reject policy and possible solutions: http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail Short summary: a p=reject DMARC policy is not compatible with mailing lists (because their messages come from a different source IP and the body usually is modified). Some large freemail domains implemented a p=reject policy to fix significant phishing attacks on their customers, but when their users send mail to Debian lists the signatures on the messages become invalid and they are rejected by the mail servers of the lists subscribers receiving them. The bounces may cause these innocent receivers to be unsubscribed from the lists. Yahoo and AOL explained in no uncertain terms that they will not revert this change. We have not suffered too much from this so far because few users post to our lists from yahoo.com and aol.com domains, but at least another very large freemail provider (used by a significant fraction of Debian lists subscribers) has privately announced that they plan to switch to p=reject as well. I propose that our priorities should be, in this order: - prevent damage to third party receivers - properly support posts from users from p=reject domains I propose that: - we immediately start rejecting mails to our lists sent from domains with a p=reject policy to prevent unsubscribing innocent third parties - we start discussing a long term solution which will allow posts from p=reject domains as well -- ciao, Marco
signature.asc
Description: Digital signature
