n 07/11/2019 01:03, Richard James Salts wrote:
On Thursday, 7 November 2019 4:23:20 AM AEDT Dominic Raferd wrote:
...
The main problem with DMARC is that some mailing lists (not this one,
I believe) mess it up, so I would suggest not to use it with
p=quarantine or p=reject on any domain where users are likely to post
to mailing lists. One such is (or was) the opendmarc mailing list -
something of an own goal.
Although Wietse has taken steps to minimize the impact of the mailing list on
DKIM signatures it will depend on the headers that were signed in the original
message, and this is the best you can expect from a mailing list as most will
alter the subject or add a footer to the message body. Many other lists have
taken the decision to work around the damage of poorly considered DMARC
policies by rewriting the From header and putting the original author's
address in Reply-to (which isn't without it's downsides given there were
existing practices about Reply-to and mailing lists). I would highly recommend
stopping at quarantine for DMARC policy if your domain is anything other than
a source of transactional emails (e.g. password resets, promotional offers,
etc). Once real humans have mailboxes on the domain and use the corresponding
email address in their outgoing mail you're going to have some collateral
damage from p=reject.
I have to disagree with the last two sentences. In the real world almost
no-one uses mailing lists - we are a self-selected group. For smaller
domains (unless mailing list use is likely) I think the risks of DMARC
p=reject (once properly tested) are minimal and the advantages (in
reducing the risk of impersonation) significant. We have used it for
several years without adverse effects, and I know (from DMARC reporting)
that fake emails to third party servers are being blocked as a result.
It's perhaps worth mentioning that irrespective of DKIM/DMARC you can
apply aggressive policies on your own server towards emails coming in
from the wild but from your own domain(s). Test the 'From' header using
header_checks and/or milter and/or content_filter. This should include
testing the text part of the From header to stop this type of thing:
From: [email protected] <[email protected]>
