Hi list admins, We recently made a change to our email settings for wikimedia.org (and other WMF-owned domains) to prevent our domain name from being spoofed.
Some of the listservs on this server were configured to handle this gracefully (a “DMARC mitigation action” of “Replace From: with list address”). However, many listservs didn’t have this set, which was causing emails from wikimedia.org to get bounced from this list. We don’t think that’s what listserv owners really desired, and so we’ve changed the settings for all of our hosted listservs in two ways. Both are under the “DMARC Mitigations” page in List Settings: The “DMARC mitigation action” has been set to “Replace From: with list address”. “DMARC Mitigate unconditionally” has been set to “yes”. The first one has the effect of changing the “From:” address - so instead of the list showing a sender’s email as “from” their original email address, it will instead show the listserv’s own email address as the “From:” field. This is really the only option available for our version of mailman, in order to continue processing DMARC-enforced emails. The second one applies this to all emails sent to the list, regardless of whether or not DMARC was being enforced for that particular message. This will make the behavior consistent for all senders, which should overall make it less confusing and avoid questions about why some emails look different than others. The technical description of what sparked this change is that we (WMF) have begun enforcing DMARC[1], with a “quarantine” policy. This has the effect of announcing to the internet that anyone who gets an email from wikimedia.org should check to make sure the email really was sent from us, and if it doesn’t validate, then they should send it to spam or otherwise keep it out of the user’s inbox. This makes it much harder to send phishing or scam emails that spoof our domain name, but also means that listserv software like this can’t continue to benevolently spoof the sender’s email anymore. Many/most large internet platforms and email senders have begun enforcing DMARC since it was introduced. We’re making this change to bring the same level of spoof protection to Wikimedia emails and projects. Our change should avoid disruption to emails, but the effect of the change will be visible to list recipients, who will start seeing a different “From:” address from senders to this listserv. If you have any questions or concerns, or if anything unexpected occurs, please let us know by contacting my colleague Jesse Hathaway at [email protected]. [1] https://en.wikipedia.org/wiki/DMARC -- *Eric Mill* Group Product Manager, Safety and Security [email protected] | 617-314-0966
_______________________________________________ Listadmins-announce mailing list -- [email protected] List information: https://lists.wikimedia.org/postorius/lists/listadmins-announce.lists.wikimedia.org/
