[Mailman-Users] DMARC handler

Stephen J. Turnbull stephen at xemacs.org
Wed Jun 25 04:04:27 CEST 2014

Ron Guerin writes:

 > I would really like to do, as someone said earlier, just say "Friends
 > don't let Friends use Yahoo or AOL Mail."  But count me in with those
 > expecting Gmail to be next.  That's nearly half the subscribers of the
 > list I've been asking in regard to.

I think GMail would have to consider using "p=reject" if they suffered
a security breach like those at AOL and Yahoo!.  However, so far
they've kept their own counsel about respecting others' "p=reject",
and the way the attackers went directly from Yahoo! to AOL, and then
stopped, suggests they found GMail and Hotmail more difficult to
crack.  This may not just be an accident.  The business models differ
more or less, and GMail and Hotmail may be able to maintain a stronger
security profile vs. "management" business initiatives.

A second consideration is that the DMARC discussion group at IETF is
working on ways to allow mailing lists to sign the posts they
distribute, instead of depending only on the Author Domain's signature
for authentication in case of an Author Domain's "p=reject".  This is
a very difficult problem involving certain risks (in particular, it's
clearly ineffective against what are called "spear-phishing attacks"),
but in GMail's user profile those risks might be acceptable to GMail.

This does require that your MTA sign the posts you distribute after
any list modifications, but IMO it's quite possible that GMail will
allow lists to control their own destiny in that way, at least until
proven ineffective.  Of course that assumes that a draft gets
widespread support and GMail decides to implement it.

More information about the Mailman-Users mailing list