[Mailman-Users] (relatively) new DMARC issues - and Gmail
Richard at Damon-Family.org
Sat Mar 31 19:12:12 EDT 2018
On 3/31/18 6:33 PM, Lindsay Haisley wrote:
> On Sat, 2018-03-31 at 17:57 -0400, Richard Damon wrote:
>> On 3/31/18 3:35 PM, Lindsay Haisley wrote:
>>> On Sat, 2018-03-31 at 14:50 -0400, Richard Damon wrote:
>>>> To me the issue sounds like why is fmp.com forwarding spam?
>>>> If this is a case of fmp.com offering forwarding mailboxes to users, who
>>>> might be using gmail as a final destination, then yes, fmp needs to try
>>>> to be as good at detecting spam as gmail or users need to accept the
>>>> increased spam levels.
>>> If pigs could fly ....! I do the very best job I can of filtering spam
>>> from inbound email, and get about 90% of it, maybe more, but fighting
>>> spam is a forever job of whack-a-mole. I certainly wish that I could do
>>> as good a job of parsing spam from legit email as Gmail does, but I'm a
>>> one-person shop, and have many tasks. Gmail has dozens, perhaps
>>> hundreds of very smart people assigned to managing their spam
>>> filtering, and they do a very good job of it. I could _never_ hope to
>>> match their efficiency or accuracy, nor could most small operations
>>> such as FMP Computer Services.
>> But coming at least close is the job you sign up for in being a mail
>> forwarder. You at least need to be good enough that you aren't seen by
>> google as an uncaring domain, and maintain enough information that they
>> can continue to do what they do well.
> Rest assured, we "come at least close". This is not an option here,
> it's a necessity. Email redirection is a feature of my MTA (Courier)
> and has been offered since FMP went into business in the 1990s. It's a
> standard feature of many MTAs and many ESPs offer it.
> I've had to deal with Gmail's honey-potting before, and I can do it
> again if necessary. I don't imagine that you've ever done commercial
> email administration, Richard, or you might have something constructive
> to say instead of just spewing admonitions to "do better".
I will admit, that I haven't had to do that sort of email
administration. I have run mail servers for much smaller operations, and
do understand the difficulties (one reason I don't anymore). Just
pointing out that if you have decided to go into that business, you
really need a better story than 'its hard' to convince customers to use
you if you can't meet there expectations and needs.
>>> The problem is that Gmail is whitelisting based on the From address,
>>> rather than the Reply-To address, which should be an _option_ open to
>>> users. On Google's scale of operation, I'm just a fly on a dog turd so
>>> any feature which might benefit my users and subscribers is pretty much
>>> a no-nevermind for them.
>> Which is why I was saying make a 1:1 mapping of From addresses to
>> Reply-To addresses.
> The From address _has_ to be from an address at fmp.com, which is the
> reason for From-munging in the first place. If you don't understand how
> DMARC works, or the problems it causes, Mark, or someone else on this
> list can send you to a reference on it. The Reply-To address is EITHER
> the original Reply-To address on the received email, or, if it had
> none, the ORIGINAL From address. Mapping the Reply-To address to the
> munged From address makes no sense at all.
>>>> Another option is to deterministically munge the from address so every
>>>> incoming email address gets a unique fmp address that it represents (it
>>>> doesn't have to be absolutely unique, mostly unique is likely good
>>>> enough), something like replace the at with _at_ and add a tail wart
>>>> like _dmarc at fmp.com (so you can have other addresses an not worry about
>>>> possible overlaps with those) and use that as the from address. Then a
>>>> reply will only whitelist that specific original from address.
>>> Which, as I noted in my original post, will cause the Gmail user's mail
>>> account to end up with a whole lot of useless whitelisted address which
>>> would need to be deleted, and FMP's server might well end up getting
>>> blacklisted as a result.
>> No more than if GMail did implement a white-list on Reply-To addresses.
> No, because the Reply-To address is the _original_ From address. Such a
> whitelisting would be useless as long as Gmail's policy with regard to
> DMARC rejection remains in place, but unless we get into some kind of
> meta-heading BS, it's the best we might do.
I think you aren't understanding the munging I am suggesting. If I sent
a message that went through your system, (and my setup triggered your
munging) would be something like:
richard_at_damon.family.org_dmarc at fmp.com
This, and exactly this would be the from address for every message I
sent through your system to a gmail user. This would be the only address
that would get white-listed due to my messages. There should be no
additional whitelisting load due to this, unless I also contact them
outside your system.
More information about the Mailman-Users