Gmail still explicitly permits anyone to send spoofed emails from Gmail users via their p=none DMARC policy. When is this going to be fixed? It's long overdue. To confirm `drill _dmarc.gmail.com TXT`.
"v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com"
Conversation
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
No, it doesn't. It only breaks mailing lists spoofing emails. As long as the mailing list only adds headers like List-Unsubscribe, the DKIM signature remains valid and it passes DMARC verification. Only misconfigured mailing lists would be broken, and they already are broken.
1
1
Don't send emails falsely claiming to originate from another address and it's not an issue... that's the feature working as intended, and as it should work. It shouldn't be possible to send spoofed mail whether or not it's a mailing list. Not at all needed to have a working list.
2
1
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
What mailing list do you use that's still broken with DMARC in 2020? Mailing list software was updated to deal with this a long time ago. You don't seem to be up-to-date with the status quo. You're talking about it as if it's still years ago and the software is still broken.
2
You’re unable to view this Tweet because this account owner limits who can view their Tweets. Learn more
DMARC doesn't break mailing lists. Mailing list software was updated to either avoid breaking DKIM signatures by not tampering with the emails or to mangle the From address to refer to the mailing list server since that's where that email was actually created if they modified it.
1
1
This is old news. It's not a recent change for DMARC to work properly with mailing lists. This was only a problem with software from many years ago when it was being introduced. Many major providers use p=reject or at least p=quarantine without issues. Gmail is an outlier now.
1
Perhaps mailing lists were part of why they originally used p=none but that's no longer an explanation for it in 2020. DMARC has worked fine with mailing lists for years. If a mailing list chooses to modify emails, the software is smart enough to avoid sending a spoofed email.