On 27/04/20 12:00 am, Richard Damon wrote:
Except that if the sender is sending from a domain with an email policy
that effectively says, "This domain is intended to send sensitive
information, please do not accept messages that do not come directly
from us", then it is reasonable to tell the sender that they are sending
messages outside their domains (implied) terms of service, and either
they need to use a different service that is compatible with a mailing
list, or have the domain fix its implied declaration of usage.
But that's not what DMARC does.
This is exactly what DMARC is intended to indicate.
Ummm, no it's not. DMARC is intended to stop mail From: header spoofing.
Configuring a domain
with DMARC says that it is intended that message only be accepted if
they come directly from the sender.
I call BS on that, and in fact ARC was created specifically to allow
third parties to forward DMARC policy messages on without having them
flagged as Spam.
It was designed for things like
Banks to be able to send out messages that the recipients can trust came
from them and not a scammer. (A scammer could fake this out with a
'look-alike' domain, but that leaves a strong back trail to the scammer,
who tend to want to hid in the darkness of the web.
Exactly, it's designed to prevent spoofing.
And here's my rant:
This is a *public mailing list* for Christ's sake! If you are going to
post to it then you should expect your message to be seen by the public!
DMARC will not stop or prevent this, all that DMARC does is send the
message to Spam. It will still be seen in the mailing list archives and
it will still land in some folder on nearly every member of this list's
mailbox. If you have sensitive info DMARC will not stop that and you
should not be posting sensitive info to a public mailing list!
Peter
