[Mailman-Developers] MM3 DMARC mitigations

Stephen J. Turnbull turnbull.stephen.fw at u.tsukuba.ac.jp
Tue Nov 8 00:16:05 EST 2016

Barry Warsaw writes:

 > It will probably make no difference, but if we can inform users as
 > to the real culprits in this mess, they can either complain to
 > their ISPs or vote with their feet and find a new provider.  That
 > won't happen if they continue to blame the list software or site.

Well, I'll be happy to create the patch just to make the statement,
but honestly, I doubt we can convince anybody who actually believes
that list software created this mess to believe otherwise.  Unlike
telephone numbers, email addresses are not portable, so the incentives
against moving (which weaken the effectiveness of complaints) are
really strong, too.

 > (If we're serious about this, we should likely have a locked down
 > wiki page with more detail, linked to from the default p=reject
 > rejection message.)

Agreed.  Maybe I'll sprint on this at PyConCA. :-)

The sad thing is the DMARC protocol is actually really well-designed
for two purposes: allowing mailbox providers to get information about
mal-use of their domain names, and allowing organizations that conduct
business transactions via direct email to prevent spoofing.  It
doesn't address the problem of spoofed indirect mail (like mailing
list posts) because that's just a really hard problem because there's
no known good way to inform users about the trustworthiness of
individual messages.  (I'd like to blame it on the popular MUAs, but
I'm afraid the problem is deeper than that.)


More information about the Mailman-Developers mailing list