Gmail still explicitly permits anyone to send spoofed emails from Gmail users via their p=none DMARC policy. When is this going to be fixed? It's long overdue. To confirm `drill _dmarc.gmail.com TXT`.
"v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com"
Conversation
Replying to
To correct a common misconception: DMARC is compatible with mailing lists. Mailing list software supports it by either not tampering with signed emails (valid DKIM is enough for DMARC alignment) or by changing the From address to refer to the server that modified the email.
1
2
4
It's not an excuse for why Gmail doesn't prevent anyone from sending spoofed emails as Gmail users in 2020. Software like Mailman was updated to handle this years ago. They provide 2 ways of still modifying the emails, one of which is wrapping the original message in their own.
4
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
No, it doesn't. It only breaks mailing lists spoofing emails. As long as the mailing list only adds headers like List-Unsubscribe, the DKIM signature remains valid and it passes DMARC verification. Only misconfigured mailing lists would be broken, and they already are broken.
1
1
Show replies
