On 10/14/2017 02:07 PM, Stephen J. Turnbull wrote:
For (2) to make sense, the email provider should have a policy that
prohibits use of its mailboxes to post to mailing lists, and it must
not provide "on behalf of" services such as sending photographs or
newspaper articles using your address in From. This makes sense for
banks and other financial institutions, and use of DMARC "p=reject"
has pretty much eliminated phishing using mail with real bank
addresses in From.
Some drive by comments:
- IMHO, "on behalf of" services (I like that description) should be
sent with a From: address that reflects the service -and- utilize a
Reply-To: that reflects the email address of the purported sender.
(Further, the service's From: address /should/ be legitimate and not
bounce. But that's more pedantic.)
- I feel like DMARC is perfectly compatible with mailing lists as long
as the mailing list is set up to modify the message as it passes through
the list:
1) Change the From: header to reflect the mailing list.
2) Send the message with an SMTP from reflecting the mailing list.
(VERP is suggested.)
3) Remove any / all DKIM headers.
- I *STRONGLY* feel that mailing lists / forwarders / etc are email
endpoints. Many of them generate new messages with content based on the
incoming content. - Thus it is perfectly acceptable to do all of the
above /because/ it is a /new/ and /different/ message.
I know that I am not personally sending this message to anyone other
than the single address that is the mailman-users mailing list. - The
mailman-users mailing list is what is sending message to all the
subscribers, *NOT* me. Both my mail server and the mail list server's
MTA logs will corroborate this. - I think pretending that I am
/personally/ (thus my MTA is) sending messages to all the subscribers is
a farce. Further I believe that said farce is part of (if not the crux
of) the perceived problems with SPF / DKIM / DMARC on conjunction with
mailing lists.
Think about it this way. If Alice sends a message to Bob, who has his
email configured to forward to Charlie who also forwards to Dave, and so
on until we reach Mike, I will *STRONGLY* argue that I never sent a
message to Mike if asked.
Sure, /someone's/ server sent a message to Mike, possibly claiming to be
from me. But it was *NOT* /from/ me or my server. Thus, the message is
bogus and /should/ be treated as such.
- I recently compared forwarders / mailing lists to be like phone
messages. The person taking the phone message does not pretend to be
the caller when passing the message along. Instead the message taker
typically says something to the effect of "$SoandSo called and left a
message for you." The phone message is a /new/ message based on the
contents of the original call, *NOT* a (replay) of the original call.
--
Grant. . . .
unix || die
------------------------------------------------------
Mailman-Users mailing list Mailman-Users@python.org
https://mail.python.org/mailman/listinfo/mailman-users
Mailman FAQ: http://wiki.list.org/x/AgA3
Security Policy: http://wiki.list.org/x/QIA9
Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/
Unsubscribe:
https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
