[Mailman-Developers] MM3 DMARC mitigations

Barry Warsaw barry at list.org
Mon Nov 7 21:05:39 EST 2016

On Nov 06, 2016, at 05:39 PM, Stephen J. Turnbull wrote:

>Maybe it's time to default to rejecting posts from p=reject domains,
>with the explanatory message:
>    Your domain publishes a "p=reject" DMARC policy, which is a
>    statement to recipients that they allow you to send only
>    authenticated direct mail.  This is a mailing list which re-sends
>    your mail after processing, and therefore you are not allowed to
>    post according to your email provider's policy.  Please repost
>    from an address which allows you to post to full service mailing
>    lists.
>    Note: A few large providers claim to permit posting to mailing
>    lists, but publish "p=reject" anyway.  They privately acknowledge
>    doing so to protect users from spammers and phishers who have
>    stolen millions of address books and other private information of
>    users from them.

With some verbiage massaging perhaps, I am supportive of a "hammer" option
such as this.  Maybe we can't enable it by default, but I don't think it's
unreasonable for site/list admins to be able to be more proactive in their
rejection of such messages.  It will probably make no difference, but if we
can inform users as to the real culprits in this mess, they can either
complain to their ISPs or vote with their feet and find a new provider.  That
won't happen if they continue to blame the list software or site.

(If we're serious about this, we should likely have a locked down wiki page
with more detail, linked to from the default p=reject rejection message.)


More information about the Mailman-Developers mailing list