[Mailman-Users] Add PayPal to DNs publishing DMARC p=reject

Stephen J. Turnbull stephen at xemacs.org
Mon May 5 08:59:22 CEST 2014

Peter Shute writes:

 > How does Yahoo's DMARC policy reduce the benefit of Paypal's?
 > Because servers can't follow the reject recommendation without

No, it's because users get used to ignoring warnings about DMARC
issues.  If it was *only* your bank, you'd learn to pay attention to
them.  But when you (FVO "you" susceptible to phishing in the first
place, of course!) see a pile of DMARC workarounds every day for 70%
of your correspondents, how do you respond to this?

    All of our mail to you have come back to us due to DMARC rejects,
    so we need to use this unusual address.

    Please confirm your blah-blah-blah by clicking <here> and logging
    in to our secure site.

2% of AOL customers will respond by clicking, at last report. :-(

Let's put it this way: When was the last time you saw an "unvalidated
SSL certificate"?  Is that timestamp equal to the last time you
followed up by checking the root cert's fingerprint on the authority's
secure site?  Or is the latter equal to -1? ;-)

 > And does the emergence of legitimate p=reject policies mean it's
 > now less likely Yahoo and AOL will back down?

What makes you think the banks didn't start doing this ages ago?
Apparently they merely haven't made an explicit announcement.

More information about the Mailman-Users mailing list