[ntp:questions] [META] lists.ntp.org borked DMARC settings

Jakob Bohm jb-usenet at wisemo.com.invalid
Fri May 10 01:23:37 UTC 2019

On 09/05/2019 17:06, John Levine wrote:
> In article <n-qdnSmIEPSoMk7BnZ2dnUU78R3NnZ2d at giganews.com>,
> Jakob Bohm  <jb-usenet at wisemo.com.invalid> wrote:
>> For about 2 months now, the lists.ntp.org gateway between the newsgroup
>> and mailing list has had a borked setting that rejects posts from real
>> e-mail addresses if the e-mail domain's DMARC is configured to the
>> minimums required to get actual mail accepted by other systems.
> My DMARC record says "p=none" and systems all over the world
> accept my mail just fine.  If someone has told you that mail
> systems require "p=quarantine", you've been badly misinformed.
> Please leave the mailing list alone.  None of the anti-DMARC settings
> actually work very well.

It is (ironically) Mailman mailing lists that required switching from 
p=none to p=quarantine .  Because otherwise they cause the reporting 
data to be flooded with alerts from all the mail servers that receive 
mailman forwarded mails "spoofing" the e-mail domains I manage.

Now early on (when Yahoo turned on DMARC as the first big e-mail host), 
some Mailman developers ranted and raved that DMARC should be sabotaged. 
They eventually somewhat relented at provided Mailman options to 
actually handle DMARC somewhat reasonably.

Now for some reason the Mailman on lists.ntp.org has been set up to:

- Run with the hopeless sabotage settings for DMARC.

- Seemingly drop mails sent to questions-owner.

- Direct the mailman mailbox to a closed mailing list while keeping 
 support pages that specify it as an outside contact point.

- Leave information placeholders in rejection mails unconfigured,
 resulting in the already insulting rejection mails containing 
 a placeholder field where the contact address should be.

In terms of improving e-mail security globally, it would be better 
if things like DMARC were easier to turn up to max, instead of 
having to keep it at ineffective levels to workaround mailing list 

Almost every day I see spam that wasn't rejected because a spoofed 
domain still runs with weak settings for SPF, DKIM, DMARC etc.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 

More information about the questions mailing list