[Mailman-Users] (relatively) new DMARC issues - and Gmail

Mon Apr 2 15:14:16 EDT 2018

Have you considered sending your message to the Mailop mailing list?

I know that there are a couple of Gmail admins / coworkers that are 
subscribed to Mailop and will respond to issues like this.

Plus, it might also be a better forum and get more engagement / 
suggestions / gratitude by others learning from your toils.

On 03/31/2018 12:31 PM, Lindsay Haisley wrote:
> At some point Amazon (amazon.com) started publishing a DMARC 
> "p=quarantine" policy, which means that any email which gets redirected 
> and hits my dmarc_shield piece is going to have its From address re- 
> written to "postmaster at fmp.com" (fmp.com has a proper SPF record).

I'm sure that Amazon is just one of /many/ companies that are working 
with DMARC.  -  Seeing as how some ~> more governments are (going to be) 
requiring DMARC, I expect that we will see more of this.

> I don't know what Gmail's policy is with regard to "p=quarantine" 
> - whether it rejects such email outright or relegates it to the 
> recipient's spam folder. I know that if the sending site publishes 
> "p=reject", redirected email is refused by Gmail at the front door. 
> I'll have to test the "p=quarantine" behavior.

I'm confident that Mailop subscribers can respond to this.

> Here's the really annoying thing. My dmarc_shield processor rewrites the 
> From header as per SOP for Mailman with the proper switch turned on. The 
> From header address becomes "postmaster at fmp.com" with the original From 
> address in the address comment (from xxx at yyz.com). If the email didn't 
> already have a Reply-To address, the original From address is inserted 
> as the Reply-To address. If a Gmail user replies to such an email, the 
> reply goes to the Reply-To address, but Gmail **whitelists** the From 
> address! Thereafter, any email which comes in with a munged From address 
> is accepted, bypassing Gmail's otherwise pretty good spam filtering. I'm 
> noticing a lot of spam email going out with From addresses for which 
> a DMARC "p=reject" policy is published, which means that any such spam 
> redirected to the Gmail user via FMP is also whitelisted. Bah! It's a 
> fucking war zone out there!

I'm confident that Mailop subscribers can respond to this too.  Probably 
including reasons as to why something is done.

I speculate that it's to prevent abuse of meaningless addresses being 
used in the From: address and causing replies to go somewhere other than 
back to the (purported) sender.

> The only possible solution here would be to randomize the username portion 
> of the rewritten From address, which makes the email look more like spam, 
> and the Gmail user would end up with a whole lot of useless whitelisted 
> address which would need to be deleted. Not to mention the fact that 
> FMP's mail server might be blocked from sending ANY email to Gmail.

I initially thought about something like an MD5 hash of the (purported) 
 From address.  Though that still suffers from the multiple addresses 
being white listed.  Despite that, I'd consider forwarding from a 
"forwarding" (sub)domain.  Something to hopefully help articulate to the 
human looking at the complaints that the message is forwarded.  Plus 
this I would expect this to help differentiate email reputation for 
fmp.com from the (sub)domain used for forwarding.  (I don't know if a 
sub-domain would suffice or if it should be a different parallel / 
sibling domain, fmp-forwarding.com.)

-- 
Grant. . . .
unix || die