> I have just had a confirmation that a refund I made has been > issued via eCheque to someone, so I wonder if it was something to do > with that.
Yes, that is Paypal sending out your confirmation with your return address. That's a perfectly legitimate thing to do, fully conforms to all RFCs and so forth. The SPF pass on the Paypal bounce address tells recipients that this really was sent by Paypal, and since Paypal have a good reputation, sensible recipients will deliver it. Given that there are a fair number of unrealistically strict dmarc records, a sensible recipient would likely ignore whatever the dmarc said and deliver it anyway, since Paypal doesn't send phishes. This is a fundamental limitation of what DMARC can do. It doesn't mean that it's broken or evil, it means that it's not a magic anti-spam bullet. It also reminds us that for domains with human users, you will find that you will lose real mail if your DMARC record doesn't say p=none. It remains very useful for the forensics on these domains, of course. R's, John PS: No, it wasn't "forged". _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
