Bob Proulx <[email protected]> writes: > Mailing lists have one very important need and that is to look for > DMARC. A number of sites set "v=DMARC1; p=quarantine;" but notably > for me the sites that set "v=DMARC1; p=reject; sp=reject;" are the > problems. > > $ host -t txt _dmarc.yahoo.com > _dmarc.yahoo.com descriptive text "v=DMARC1; p=reject; pct=100; > rua=mailto:[email protected];"; > > $ host -t txt _dmarc.zoho.eu > _dmarc.zoho.eu descriptive text "v=DMARC1; p=reject; sp=reject; fo=0; > rua=mailto:[email protected]; ruf=mailto:[email protected]"; > > This means that mail with a From: header of @yahoo.com will be > rejected by servers unless it is either sent by Yahoo's servers or the > DKIM signature is verified. A signed DKIM signature means the headers > and body have not been modified.
I have never been 100% clear on DMARC. Do you really mean "or", so that a message which has a valid DKIM signature but which fails the SPF check is still acceptable? > If the sending address site has set a strict DMARC configuration then > you basically have two options. One is to modify the headers and > forward it through the mailing list. Or two it can be discarded or > rejected. Forwarding a message from a sender site with strict DMARC > set will be seen as a forgery by the recipient site receiving the > mailing list and many sites, Google for one, will reject those > messages. If valid DKIM is ok, then you have a third option: Do not modify the message. Specifically, do not add a subject tag and do not add a footer. I believe the NetBSD lists operate this way. I find the sender rewriting icky. If it rewrote to a per-user forwarding address at the mail host, so that sending to that address went only to the user, that would be ok, but combined with incorrect List Reply-To: it becomes all too easy for private replies to end up on lists. To me that is a bigger problem than just not allowing addresses with strict DMARC policies to be on lists :-)
signature.asc
Description: PGP signature
