On Thu, Jun 4, 2020 at 8:28 AM Ralph Seichter via mailop <mailop@mailop.org> wrote:
> * John Levine via mailop: > > > Mailing lists have only been adding subject tags since the 1980s. > > I do not wish to delve into whether these tags are useful or not, but > rewriting subjects or bodies invalidate existing DKIM signatures. > > I recommend using separate domains, or subdomains, for regular business > and for mailing lists, combined with separate DMARC policies, e.g. > 'quarantine' for example.org and 'none' for mlists.example.org. > Why? For one, I'm not sure what you're recommending, either: 1) Host mailing lists on a separate domain 2) Send mail to mailing lists on a separate domain If you're recommending #1, sure, there are benefits to that, though it's clearly not strictly necessary. Having a different DMARC policy for the mailing list domain isn't that useful since the mailing list sends very few messages "from" the mailing list (slightly more in the case of 5322.From header rewriting, of course). It's also usually a fairly controlled domain only used for the mailing list software, so making sure the SPF and DKIM are correct is pretty trivial, so the looser DMARC setting doesn't seem to make much sense. If you're talking about #2, I probably wouldn't recommend that breakdown, but I do know folks who have split domains for the "product" and the employees, ie yahoo.com vs yahoo-corp.com, foo.net vs foo.com, etc. We played with that a bit when we were first rolling out DMARC predecessor, adding a googlers.com domain. Ultimately, we decided that leaving a domain open that can be spoofed defeats the purpose of DMARC. I mean, it also points to the ultimate problem with DMARC, which is people fall for phishing even from non-exact or even completely wrong domains, so all of this is just about moving the needle and not SOLVING THE PROBLEM ONCE AND FOR ALL, so everything is a continuum and everyone needs to understand and make the right choices for them. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop