[Mailman-Users] (relatively) new DMARC issues - and Gmail
Grant Taylor
gtaylor at tnetconsulting.net
Mon Apr 2 15:14:16 EDT 2018
Have you considered sending your message to the Mailop mailing list?
I know that there are a couple of Gmail admins / coworkers that are
subscribed to Mailop and will respond to issues like this.
Plus, it might also be a better forum and get more engagement /
suggestions / gratitude by others learning from your toils.
On 03/31/2018 12:31 PM, Lindsay Haisley wrote:
> At some point Amazon (amazon.com) started publishing a DMARC
> "p=quarantine" policy, which means that any email which gets redirected
> and hits my dmarc_shield piece is going to have its From address re-
> written to "postmaster at fmp.com" (fmp.com has a proper SPF record).
I'm sure that Amazon is just one of /many/ companies that are working
with DMARC. - Seeing as how some ~> more governments are (going to be)
requiring DMARC, I expect that we will see more of this.
> I don't know what Gmail's policy is with regard to "p=quarantine"
> - whether it rejects such email outright or relegates it to the
> recipient's spam folder. I know that if the sending site publishes
> "p=reject", redirected email is refused by Gmail at the front door.
> I'll have to test the "p=quarantine" behavior.
I'm confident that Mailop subscribers can respond to this.
> Here's the really annoying thing. My dmarc_shield processor rewrites the
> From header as per SOP for Mailman with the proper switch turned on. The
> From header address becomes "postmaster at fmp.com" with the original From
> address in the address comment (from xxx at yyz.com). If the email didn't
> already have a Reply-To address, the original From address is inserted
> as the Reply-To address. If a Gmail user replies to such an email, the
> reply goes to the Reply-To address, but Gmail **whitelists** the From
> address! Thereafter, any email which comes in with a munged From address
> is accepted, bypassing Gmail's otherwise pretty good spam filtering. I'm
> noticing a lot of spam email going out with From addresses for which
> a DMARC "p=reject" policy is published, which means that any such spam
> redirected to the Gmail user via FMP is also whitelisted. Bah! It's a
> fucking war zone out there!
I'm confident that Mailop subscribers can respond to this too. Probably
including reasons as to why something is done.
I speculate that it's to prevent abuse of meaningless addresses being
used in the From: address and causing replies to go somewhere other than
back to the (purported) sender.
> The only possible solution here would be to randomize the username portion
> of the rewritten From address, which makes the email look more like spam,
> and the Gmail user would end up with a whole lot of useless whitelisted
> address which would need to be deleted. Not to mention the fact that
> FMP's mail server might be blocked from sending ANY email to Gmail.
I initially thought about something like an MD5 hash of the (purported)
From address. Though that still suffers from the multiple addresses
being white listed. Despite that, I'd consider forwarding from a
"forwarding" (sub)domain. Something to hopefully help articulate to the
human looking at the complaints that the message is forwarded. Plus
this I would expect this to help differentiate email reputation for
fmp.com from the (sub)domain used for forwarding. (I don't know if a
sub-domain would suffice or if it should be a different parallel /
sibling domain, fmp-forwarding.com.)
--
Grant. . . .
unix || die
More information about the Mailman-Users
mailing list