On 4/9/2018 8:50 PM, Philip Paeps wrote:
On 2018-04-09 11:09:37 (-0500), Jesse Thompson wrote:
The amount of DMARC data for a large decentralized university is
daunting, so my approach is to compartmentalize issues that can be
addressed.
Thank you for collecting and analysing this data!
Even on a much smaller scale than yours, DMARC is at least "daunting".
Write-ups of real-world experiences on non-trivial setups are very helpful.
Looking at the data for the second-level domain, I see 322 obvious
forwarding/list services that break DKIM signatures. There are
tens-of-thousands of servers sending indirect mail flow, but it's
mostly mailbox hosters autoforwarding mail for users (with, I'm sure,
a lot of distribution lists mixed in to that flow) but I will focus on
that problem later.
When you say "obvious": do you have a rough idea of how many of these
322 are 'managed' mailing lists (e.g. mailman or similar) and how many
are dumb forwarders like alias expansions?
I'm relying on Dmarcian's analysis into our DMARC data to ballpark the
322 vs long tail. There might be dumb forwarders mixed in to the 322,
and there might be mailing lists mixed in to the long tail.
So, of the 322 obvious list services. How many of them do I need to
reach out to convince them to upgrade their lists to rewrite in a
DMARC compliant fashion? I was hoping that there was a way to trigger
a subset of that 322 so that:
1) I know how many of them are "dormant" DMARC compatible. Check them
off the list and move on to the problematic list servers.
If you can identify lists managed by mailman, you could try to poke
their web frontends to check the version. You'll still need to convince
the people running them to do the DMARC munging though.
That's not in the DMARC data, so yeah we will have to do some research
into each one like you suggest.
Several mailing lists will also simply reject mail from DMARC domains.
There is probably nothing you can do about that.
I'm looking for ways to start tackling these issues, get the attention
of a hundred thousand people to convince them to stop squatting on the
second-level domain, all without knowingly triggering their mail to be
treated as spam.
I am very interested in seeing how this works out. Do share your
experiences with this list!
Thanks for your voice of support!
Jesse
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop