On 23/05/15 22:45, Allan Hansen wrote:
I have waited almost a year for AOL and Yahoo to admit that they messed up and to remove their DMARC policy.
Me too. Sadly, Yahoo has recently (28 March) compounded their mess, probably necessitating an update to workarounds on some Mailman installations. Initially they said the policy would just involve "low-volume Yahoo international domains" http://comments.gmane.org/gmane.mail.spam.dmarc/2411 but when the deadline came it also included yahoo.co.uk, yahoo.fr and all Yahoo user domains I know of: http://comments.gmane.org/gmane.mail.spam.dmarc/2414
Background for anyone who doesn't know it: https://mail.python.org/pipermail/mailman-users/2014-April/ http://wiki.list.org/x/17891458 http://wiki.list.org/DEV/DMARC
[snippets] On 24/05/15 00:39, Mark Sapiro wrote:
In any case, I will refrain from discussing the merits of adding .invalid to the domain, but why do it for all domains and not just yahoo.com and aol.com or actually look up the From: domain's DMARC policy and only do it for domains with DMARC p=reject.
Some workarounds may look up _dmarc TXT record, others may maintain static lists of affected domains, some may choose to break RFC 5322 consistently because of some ISPs wrongly using p=reject for user email that is sent to discussion lists. In the case of static lists, these may need to be extended to include the above Yahoo domains.
On 21/08/15 19:26, Stephen J. Turnbull wrote:
DMARC p=reject gives list admins an unpleasant choice: (1) violate the mail standards and suffer various degradations of service because others in the mail system assume conformance (eg, your "wrong duplicate" problem), (2) tell your p=reject users that their posts are going to be rejected or discarded by many subscribers, or (3) stop decorating posts with [List] tags or material prefixed and affixed to the message body (so that the originator's DKIM signature will remain valid and the DMARC checks will pass).
N.B. The tech staff from Yahoo! and AOL have acknowledged (on the ietf-dmarc mailing list) that their employers are knowingly breaking mailing lists (and other services) to address their security fiascos. The designers of DMARC have always maintained that the Yahoo!/AOL use case is abusive -- DMARC was designed to protect official mail to customers sent on behalf of corporations by their employees, not the general use mail of users with addresses at freemail providers. In other words, mailing lists just shouldn't receive mail from p=reject domains, ever. No problem -- until Yahoo! and AOL decided to *create* one.
IMO, given those facts, posting from a Yahoo! or AOL address is just plain rude. (I can and do get away with banning their posts. I wish everybody could do that.)
Yes, someone really should explain to Marissa Mayer that every new anti-forgery acronym isn't appropriate or useful for user freemail and it's making Yahoo look incompetent and/or antisocial.