On 10/22/20 3:35 PM, Bob Proulx wrote: > Demi M. Obenour wrote: >> Viktor Dukhovni wrote: >>>> Demi M. Obenour <demioben...@gmail.com> wrote: >>>> This is really a security hole in gmail. Given the popularity of >>>> gmail, however, I seriously suggest somehow treating gmail as if it >>>> had p=reject, as it should. >>> No it should not have "p=reject" that's only for sites that only send >>> "transactional" email. And lack of DMARC is not a "security hole". >> >> "p=quarantine" might be a better choice, but I do consider lack of >> DMARC to be a security hole. I certainly don't want someone to be >> able to forge mail that claims to be from me. There are all sorts of >> nasty social engineering attacks someone could do with that ability, >> many of which have real-world consequences. > > Such as your mail from Gmail through mailing lists such as this one? > DMARC breaks traditional mailing list usage because it focuses on the > header address not the envelope address.
That's because MUAs display the From: header, not the envelope address. DMARC is aimed at preventing spoofing. If someone sends a message that claims to be from me, but is not, that could damage my reputation or worse. If GMail had p=reject, such a message would be dropped as a forgery. If a relative of mine gets a message that claims to be from me, but is actually from <demiobenour@notgmail.invalid>, they at least have a chance of knowing the message is bogus. > Sites with a strict DMARC policy require mailing lists to either > rewrite header addresses to avoid the breakage, or to drop the mail, > or other worse alternatives. Strict DMARC policy is why we are often > seeing "... via ..." in the From: addresses and the address rewritten > now when it is coming from a site that has set a strict DMARC policy. To me, that is a good thing. I *want* mailing lists to either relay the message without changes, or take ownership of the message body by changing the From: header. Otherwise, they are claiming that I sent a message that I never in fact sent, which is not okay. "... via ..." is what I want to see in a mailing list message. > Strict DMARC policy is suitable for banks and other direct mailing use > wishing higher security but is not suitable for a user's general email > where they want to send mail to mailing lists and have other > interactions with the community. If a mailing list relays mail without changing it, DMARC will pass, since the digital signature will still verify correctly. Changing the message without changing the From: header is spoofing, and mailing list software that does it is broken. > Bob Sincerely, Demi
OpenPGP_0xB288B55FFF9C22C1.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
