On 15 February 2017 at 09:34, Alice Wonder <al...@domblogger.net> wrote: > On 02/15/2017 12:32 AM, Dominic Raferd wrote: >> >> On 15 February 2017 at 07:58, Richard James Salts >> <post...@spectralmud.org> wrote: >>> >>> >>> >>> On 15 February 2017 6:47:31 PM AEDT, Viktor Dukhovni >>> <postfix-us...@dukhovni.org> wrote: >>>> >>>> >>>> Please do not encourage novice users to configure DMARC. This does >>>> much >>>> more harm than good. DMARC is legitimately for the few likePayPal, >>>> abusively >>>> for too big to fail like Yahoo >>> >>> >> >> Viktor, off topic perhaps but I am interested in your downer on DMARC. >> As I understand it, the point of DMARC is to prevent others from >> sending fake mails that purport to come from 'me' or 'my' domain. I am >> responsible for a few low-volume domains but this has happened to us, >> as it probably has to most others. The global email system surely >> needs a way to verify that emails are really from the purported sender >> and that they have not been altered on their way to their intended >> recipient, and DMARC (with DKIM, and not using p=none) offers this. >> Are there better alternatives? >> > > I'm not Viktor but I'll answer. > > I run DMARC on one domain just as a test and find it useless. The problem is > mail lists, a lot of mail lists don't handle things correctly resulting in > one message to a list resulting in a ton of failure reports. > > For me, DMARC is one of those things that sounds good but in practice > doesn't really work. > > Now PayPal - they usually don't send to mail lists so the problem I > experience may not exist for them, but for me, it seems useless. Way way way > too many false positives caused my mail lists. > > I do run SPIF and DKIM however. The thought is that if someone is sending > fraudulent mail on behalf of my domain, failing those will increase the odds > that it gets flagged by spam filters. > > I don't know how often that happens, it seems very rare that someone sends a > message claiming to be from my domain and when they do, it usually is from > my domain to my domain and it does get caught (e.g. fake mail from > sales@whatever to admin@whatever or vice versa) by my spam filters. DMARC > isn't needed to catch those though.
Thanks for your answer. There may be a problem between DMARC and mailing lists - I avoid p=reject or p=quarantine on domains I use for posting to mailing lists. SPF proves sender identity but final recipient MTA cannot rely on it if there are any intermediate relaying servers between it and the originating MTA; so while SPF=pass proves sender identity, SPF=fail proves nothing. DKIM proves content and/or header integrity but not sender identity (false DKIM can be injected - see http://www.zdnet.com/article/dkim-useless-or-just-disappointing/). DMARC uses alignment to prove identity *and* integrity; it is a solution to a fundamental problem, as I understand it.
