[Mailman-Developers] Adding DMARC support for Mailman 3

Mon Jul 8 11:01:43 CEST 2013

Franck Martin writes:

 > If the From: contains the posting email of the mailing list, one
 > would think that the default becomes reply to the list, but this is
 > where Reply-To: can be used.

Most users do not display Reply-To; many cannot (at least not at their
level of technical skill).  This means that they get no indication of
the author of a message unless the author signs the body of the mail,
which often isn't done, and is impossible to enforce.  So this setting
is simply unacceptable except on announce/advertising lists (where
Reply-To is usually set to some other address anyway) and on anonymous
lists (which as far as I know are relatively rare).

If this option becomes a popular filter on large mail hosts,
discussion lists (ie, the kind of mailing list that Mailman was
originally intended to serve) will take a severe, perhaps fatal, blow.

 > I hope this helps alleviate concerns.

Unfortunately, it doesn't.  Imposition of authentication designed for
personal and other direct mail on aggregate-and-forward services like
Mailman is a knife at our throat in principle.  Despite obvious
goodwill on the part of IETF and others involved in the discussions, I
have seen no proposal that works well for discussion lists as
currently constituted.

And, even more unfortunate, there is ample evidence that the large
freemail services (including AOL), not to mention many inexpensive
hosting services, consider the possibility that even one spam gets
through a knife at *their* throats, while non-delivery of legitimate
mail is no problem because it can always be blamed on somebody
else.[1]  I fear that any halfway plausible plan (even one as flawed
as Gmail's handling of "own posts") could get quick and widespread
adoption if Mailman offers such features, and operators of discussion
lists will be blamed for their poor attitude toward spam-fighting when
they resist using them.

One might also speculate that the big portal operators are strategicly
hostile to independently operated mailing lists, as they would like
people to use their forum services instead.  But that's purely
speculation.

None of this is your fault or Murray's, or DMARC's or DKIM's (despite
its yahoo roots).  It is, however, a reality that *we* face.

 > PS: Stephen, Murray does not work for Google, and therefore cannot
 > change the way gmail works.

I'm aware of that.  I was ribbing him for his choice of mailbox at
Gamil.  He obviously thinks it's funny; nobody imposed it on him!

Footnotes: 
[1]  For example, my University's Information and Media Center (which
intercepts all SMTP connections, and likes to think of itself as in
the same class as the MIT Media Lab) labelled Murray's mail
"[Suspected Spam]" in the Subject field (which I removed in the
interest of remaining friends).  I can't even rely on the "[Spam]"
label when applied by their incompetent filters. :-(