On Thu, Jun 4, 2020 at 4:16 PM Ralph Seichter via mailop <mailop@mailop.org> wrote:
> * Brandon Long: > > >> I recommend using separate domains, or subdomains, for regular > >> business and for mailing lists [...] > > > > Why? > > Because something is definitely wron if an email from ra...@mycorp.com > (an address only used for business) fails SPF or DKIM checks, and I'd > like to know about that. > > Mail from ra...@ml.mycorp.com however, an address only used for mailing > lists but not for business, can fail these checks due to sub-optimal ML > software setups or other reasons, and it does not worry me much. > > > For one, I'm not sure what you're recommending, either: > > 1) Host mailing lists on a separate domain > > 2) Send mail to mailing lists on a separate domain > > Both, actually. I host mailing lists aswell, and continuing the example > above, they use the domain lists.mycorp.com. > > > We played with that a bit when we were first rolling out DMARC > > predecessor, adding a googlers.com domain. Ultimately, we decided > > that leaving a domain open that can be spoofed defeats the purpose of > > DMARC. > > I cannot speak for others, but a sender address like al...@google.com or > b...@microsoft.com does not normally signal "the author is more competent > or important than others" to me. This particular mailing list may be an > exception, but generally speaking, I don't usually care who somebody > works for, as long as his/her ML contributions are solid. That's why, in > the ML context, I don't see spoofing as much of a threat and am content > with using a (sub)domain with a "p=none" DMARC policy. > The problem isn't internal folks posting to mailing lists, the problem is that anyone can use the unprotected domain to spoof messages to anyone else. If we leave googlers.com open, then phishers are going to use it to send messages looking like "accou...@googlers.com" or "secur...@googlers.com" and do what they do best. "secur...@lists.google.com" is the same thing. > everything is a continuum and everyone needs to understand and make > > the right choices for them. > > DMARC and its underlying mechanisms indeed have shortcomings, and my > recommendation helps to circumvent these. There are mailing lists like > postfix-users which wisely don't break DKIM sigs, and there are others > that consider subject prefixes and body footers more important. For me, > using separate (sub)domains is a working solution, and a cheap one at > that. Right now I use a private domain, because I am speaking only for > myself, but if I need to subscribe to a ML where I represent my company, > a subdomain will do for me. > People spoofing your personal domain aren't likely to be trying to reap millions of US dollars from your customers. Which maybe means only that we're in violent agreement, different domains are going to have different issues and make different decisions. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
