Demi M. Obenour wrote: > Viktor Dukhovni wrote: > >> Demi M. Obenour <demioben...@gmail.com> wrote: > >> This is really a security hole in gmail. Given the popularity of > >> gmail, however, I seriously suggest somehow treating gmail as if it > >> had p=reject, as it should. > > No it should not have "p=reject" that's only for sites that only send > > "transactional" email. And lack of DMARC is not a "security hole". > > "p=quarantine" might be a better choice, but I do consider lack of > DMARC to be a security hole. I certainly don't want someone to be > able to forge mail that claims to be from me. There are all sorts of > nasty social engineering attacks someone could do with that ability, > many of which have real-world consequences.
Such as your mail from Gmail through mailing lists such as this one? DMARC breaks traditional mailing list usage because it focuses on the header address not the envelope address. Sites with a strict DMARC policy require mailing lists to either rewrite header addresses to avoid the breakage, or to drop the mail, or other worse alternatives. Strict DMARC policy is why we are often seeing "... via ..." in the From: addresses and the address rewritten now when it is coming from a site that has set a strict DMARC policy. Strict DMARC policy is suitable for banks and other direct mailing use wishing higher security but is not suitable for a user's general email where they want to send mail to mailing lists and have other interactions with the community. Bob
