On Aug 24, 2014, at 5:18 AM, Nicolás via dmarc-discuss <[email protected]> wrote:
> Hi! > > I'm new to DMARC, I configured it just a bunch of days ago, and even that I > think it's a great idea, I'm worried about its limitations over mailing > lists. I've read the FAQ about this, and I'm not quite clear about what can I > do to avoid DMARC checkings to fail. On lists you don't manage, there is little you can do besides pester the list operator and ask them to make their list DMARC compatible. But: 1. list operators tend to be change resistant 2. there are now patches available for most list software to make them DMARC compatible 3. For unmaintained MLMs, like ezmlm, turning off options like subject prefix and trailers suffices. 4. ezmlm-idx does have patches 5. Some of the MLM patches don't rewrite the sender *unless* they detect a p=reject policy 6. see #1 I'm not going to rehash material from the FAQ but thinking about it from the list operators perspective, why should *they* have to change *their* list so that your silly little anti-phishing security thingy works? (I don't subscribe to that school of thought, but that's frequently the attitude) > I'm subscribed to about 10 lists, none of them rewrites the 'MAIL FROM' > header so the original sender address is being sent (in my case > [email protected]), which implies that DMARC will be tested against my domain. Rewriting the MAIL FROM header is not the only means of passing DMARC messages. The simplest solution is for the list to not modify the message at all, so that the DKIM signature is not invalidated. Then no workarounds are necessary. Also, because of #5, the list may have DMARC support that is not visible to you. > Last night a report arrived with lots of records with SPF/DKIM checks > failing, which is obvious. For the SPF issue, I guess I could add the IP > address to the DNS record for most of the mailing lists, however, I'm not > sure what can I do to avoid the DKIM check to fail. > > Up until now, my policy is 'none' because I'm just observing and trying to > completely understand how this works, but now I'm unsure if I want to set it > to 'quarantine' or 'reject' as these list mails would be placed on Junk mail > or rejected, respectively, which makes me wonder if DMARC is adequate for > mailing lists? DMARC adoption is high among large email providers, making it very effective at stopping phishing. I see periodic outbreaks spoofing my domain. Unlike in the pre-DMARC era, the outbreaks end quickly, which I believe is due to my p=reject policy, making such attempts mostly undeliverable. See https://dmarcian.com/dmarc-impact/ Thanks to Yahoo and AOL publishing p=reject policies, the DMARC mailing list logjam has been broken (see #2-4 above). Very few list operators are unaware of the issue and quite a lot of them have already upgraded their list software. The only way you'll know for sure if the 10 lists in question interoperate well with DMARC is to switch your policy to p=reject and send some messages. Matt _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
