DMARC munging fails on subdomains that use parent domain policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNU Mailman |
Fix Released
|
High
|
Mark Sapiro |
Bug Description
An address ending with "@reply.yahoo.com" posted a message to a list that has "dmarc_
This causes IsDMARCProhibited() in Utils.py to lookup TXT records for "_dmarc.
However, in this situation, DMARC "clients" apparently need to look "up the chain" at "_dmarc.yahoo.com". See RFC 7489 section 4.3 point 7, and section 6.6.3 point 3 ("Organizational Domain"), and here's an example of it in action:
https:/
The result of this bug is that mail from a subdomain like "@reply.yahoo.com" does not get munged, but does get rejected downstream by yahoo.com/gmail.com etc. for failing DMARC policy.
(I'm using Mailman 2.1.20.)
Related branches
Changed in mailman: | |
status: | Fix Committed → Fix Released |
Thank you for your report.
The fix I committed is something of a Kludge and will test more domains that just the From: domain and Organizational Domain as determining the Organizational Domain in general is a challenge, but hopefully it will produce the correct result in at least most cases.