[Mailman-Users] Yahoo extends DMARC p=reject to other domains

Sat Apr 9 14:56:56 EDT 2016

On 23/05/15 22:45, Allan Hansen wrote:
> I have waited almost a year for AOL and Yahoo to admit that they
> messed up and to remove their DMARC policy.

Me too.  Sadly, Yahoo has recently (28 March) compounded their mess,
probably necessitating an update to workarounds on some Mailman
installations.  Initially they said the policy would just involve
"low-volume Yahoo international domains"
http://comments.gmane.org/gmane.mail.spam.dmarc/2411 but when the
deadline came it also included yahoo.co.uk, yahoo.fr and all Yahoo user
domains I know of: http://comments.gmane.org/gmane.mail.spam.dmarc/2414

Background for anyone who doesn't know it:
https://mail.python.org/pipermail/mailman-users/2014-April/
http://wiki.list.org/x/17891458
http://wiki.list.org/DEV/DMARC

[snippets]
On 24/05/15 00:39, Mark Sapiro wrote:
> In any case, I will refrain from discussing the merits of adding
> .invalid to the domain, but why do it for all domains and not just
> yahoo.com and aol.com or actually look up the From: domain's DMARC
> policy and only do it for domains with DMARC p=reject.

Some workarounds may look up _dmarc TXT record, others may maintain
static lists of affected domains, some may choose to break RFC 5322
consistently because of some ISPs wrongly using p=reject for user email
that is sent to discussion lists.  In the case of static lists, these
may need to be extended to include the above Yahoo domains.

On 21/08/15 19:26, Stephen J. Turnbull wrote:
> DMARC p=reject gives list admins an unpleasant choice: (1) violate the
> mail standards and suffer various degradations of service because
> others in the mail system assume conformance (eg, your "wrong
> duplicate" problem), (2) tell your p=reject users that their posts are
> going to be rejected or discarded by many subscribers, or (3) stop
> decorating posts with [List] tags or material prefixed and affixed to
> the message body (so that the originator's DKIM signature will remain
> valid and the DMARC checks will pass).
>
> N.B. The tech staff from Yahoo! and AOL have acknowledged (on the
> ietf-dmarc mailing list) that their employers are knowingly breaking
> mailing lists (and other services) to address their security fiascos.
> The designers of DMARC have always maintained that the Yahoo!/AOL use
> case is abusive -- DMARC was designed to protect official mail to
> customers sent on behalf of corporations by their employees, not the
> general use mail of users with addresses at freemail providers. In
> other words, mailing lists just shouldn't receive mail from p=reject
> domains, ever. No problem -- until Yahoo! and AOL decided to *create*
> one.
>
> IMO, given those facts, posting from a Yahoo! or AOL address is just
> plain rude. (I can and do get away with banning their posts. I wish
> everybody could do that.)

Yes, someone really should explain to Marissa Mayer that every new
anti-forgery acronym isn't appropriate or useful for user freemail and
it's making Yahoo look incompetent and/or antisocial.

CK