Torge Riedel writes:
Am 23.09.21 um 09:56 schrieb Philip Colmer:
Just to confirm, the DMARC mitigation action is "Replace From: with list address" and DMARC mitigate unconditionally set to Yes?
"Replace From" is the recommendation ("Wrap Message" causes problems with many commonly-used mail clients).
"Mitigate Unconditionally" is a decision that is list-specific. For some lists mitigating only for authors whose sites publish "p=reject" and/or "p=quarantine" DMARC policies is a better choice. Factors include
- Mitigation sometimes makes it hard to identify the actual author, for both mail clients and (more frequently) for human users.
- Mitigation messes up the Reply-To process. Some subscribers will care, others won't even notice. Proportions differ for different lists.
- The fraction of posters who use DMARC-paranoid sites.
- Users may prefer a uniform look in the From header field, even if it's less accurate and convenient.
- Conditional mitigation used to require installing an additional Python package (dnspython, IIRC) on some platforms. I think this is now an unconditional dependency for Mailman 3 itself, but not sure. Ie, unconditional mitigation does not require installing additional packages, conditional mitigation I'm only 99.44% sure.
- List owner may be an RFC pedant (raises hand). Technically, RFC 5322 and predecessors strongly deprecate other agents changing the From header field. DMARC itself basically assumes that mail authors should not be using a "From" that triggers DMARC actions at any of their addressees. (This was explicit in some early drafts but was removed in mid-April 2014, I believe to shield AOL and Yahoo! from "nonconformance to your own RFC" criticism.)
I recall to had a bad mail reputation somewhere caused by mailman3 without DMARC mitigation. It only got better after changing the settings.
I'm sure this did happen. Changing the DMARC settings is a reasonable response.
Alternative perspective: I remove those addresses from my lists. ;-) (In fact, it's my email provider's policy: the Japanese government forbids use specifically of Yahoo! addresses for "government business", including public universities.)
Steve