Barry Warsaw writes: > On May 06, 2014, at 02:15 PM, Stephen J. Turnbull wrote: > > >No, the point is that a phishing mail with > > > > From: Chase Bank Customer Service <serv...@chase.com.invalid> > > > >will sail right past DMARC, as currently set up. > > So too will serv...@chase.com.ru without Mailman ever getting > involved, and I bet that will be just as effective at phishing as > .invalid.
Et tu, FLUFL? The point is that if Mailman provides this, it becomes a "standard" way to get a DMARC p=reject address past DMARC p=reject, and people *may* develop an "it may say .INVALID, but it's OK" reflex. As I wrote to John Levine on mailman-developers, if operators want to experiment with it, that's one thing. But does *Mailman* want to take part in encouraging that "it's OK *because* it's .INVALID" meme? Do we want to encourage phishers to use something that looks like a Mailman feature, and have the DMARC WG come back with something that involves "anything that looks like my domain"? The DMARC WG advocates putting list-post in "From" in place of a DMARC p=reject address. I advocate accepting their advice for stock Mailman, and avoiding other non-conforming workarounds until the market demands them. If it gets noisy, feel free to cave in faster than you did on Reply-To munging.<wink /> Steve ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org