[Slackbuilds-users] Today's DMARC debacle

[Rob McGee]

Today a poster from a domain which published a DMARC "p=reject" 
policy posted to our mailing list.  Either his DMARC record is new, 
or gmail just started enforcing DMARC, and so, unseen by all our 
numerous gmail/googlemail and Google Apps subscribers, you were 
kicked off our list.

Yes, it's stupid.  DMARC allows third/fourth parties to do this 
denial of service.  Mailing lists since forever have used the 
original sender's "From:" header, but the list server's envelope 
sender.  DMARC looks at the header, not the envelope.

But, as with so many things, we are stuck with stupid stuff.

GNU Mailman already has a workaround for the problem: it looks up 
DMARC for the poster's domain, and if a "p=reject" is published, the 
From header is rewritten.  Yay, so you don't know who it was from.

(Another workaround is to simply disallow posts from such domains.)

Anyway, I'm working on the first workaround, and the poster who 
triggered all this is temporarily blocked from posting.

We have placed the list on emergency moderation mode for now.  
Please, no more posts about this until I get it resolved.  I will 
reply here when it is.

I'm sorry for the inconvenience.  I am sorry that DMARC exists.

Fortunately it was only the posts (two) from this poster which caused 
all the havoc.  Every subscriber who was removed from the list should 
have received their notification of removal.  The problem was not a 
matter of gmail not accepting mail from us; only that the DMARC 
perpetrator was listed in the From: header.  Not a factor for the 
removal notification mails from Mailman.
-- 
    Rob McGee - /dev/rob0 - rob0 at slackbuilds.org